R333. Store salt values separately

Requirement

The salt values used during the password hashing process must be stored separately from the hashed passwords.

Description

Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.

References

  1. CWE-916: Use of Password Hash With Insufficient Computational Effort. The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

  2. NIST 800-63B 5.1.1.2 Memorized Secret Verifiers The secret salt value SHALL be stored separately from the hashed memorized secrets (e.g., in a specialized device like a hardware security module).

  3. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.5) The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module).

  4. OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.2) Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations.

  5. PCI DSS v3.2.1 - Requirement 3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy