R134. Store passwords with salt

Requirement

The system must store passwords with different key derivations (Salt).

References

  1. CIS Controls. 16.4 Encrypt or Hash All Authentication Credentials. Encrypt or hash with a salt all authentication credentials when stored.

  2. CWE-759: Use of a One-Way Hash without a Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

  3. CWE-760: Use of a One-Way Hash with a Predictable Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.

  4. CWE-916: Use of Password Hash With Insufficient Computational Effort. The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

  5. NIST 800-63B 5.1.1.2 Memorized Secret Verifiers Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

  6. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.1) Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy