R127. Store hashed passwords

Requirement

Passwords must be hashed before being stored using secure hash algorithms such as PBKDF2 and bcrypt.

Description

A hash function maps data of arbitrary size to fixed-size values. It conceals sensitive information as it is often not possible to reverse hashed texts. Hashing passwords helps prevent unauthorized actors that may have accessed the storage system from obtaining them.

References

  1. CWE-916: Use of Password Hash With Insufficient Computational Effort. The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

  2. NIST 800-63B 5.1.1.2 Memorized Secret Verifiers Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

  3. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.1) Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function.

  4. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.3) Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations.

  5. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.4) Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy