R135. Passwords with random salt

Requirement

Salt values in passwords must be random and have a minimum length of 48 bits.

Referencias

  1. CWE-759: Use of a One-Way Hash without a Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

  2. CWE-760: Use of a One-Way Hash with a Predictable Salt. The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input.

  3. CWE-916: Use of Password Hash With Insufficient Computational Effort. The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

  4. NIST 800-63B 5.1.1.2 Memorized Secret Verifiers The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes.

  5. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.1) Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash.

  6. OWASP-ASVS v4.0.1 V2.4 Credential Storage Requirements.(2.4.2) Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy