The system must store passwords with different key derivations (Salt).
CIS Controls. 16.4 Encrypt or Hash All Authentication Credentials. Encrypt or hash with a salt all authentication credentials when stored.
CWE-759: Use of a One-Way Hash without a Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.
CWE-760: Use of a One-Way Hash with a Predictable Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.
CWE-916: Use of Password Hash With Insufficient Computational Effort. The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
NIST 800-63B 220.127.116.11 Memorized Secret Verifiers Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.
OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.1) Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash.