Cryptographic failures (OWASP #2): transmitting sensitive data without encryption, using weak algorithms (MD5, SHA-1, DES, RC4), improper key management, using cryptographic functions incorrectly.
Examples: sending PII over HTTP, storing passwords as unsalted MD5, using hardcoded encryption keys, not validating TLS certificates. Fix: use TLS everywhere, bcrypt for passwords, AES-256/ChaCha20 for encryption, properly manage keys (never hardcode them).