Cracked Weak Credentials

Need

Prevent unauthorized access by securely hashing and storing passwords.

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of Comeonin library for hashing

Description

Non compliant code

def register_user(username, password) do
  hashed_password = :crypto.hash(:sha256, password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end

This Elixir function hashes passwords with the SHA-256 function before storing them. While SHA-256 is not inherently insecure, it is not suitable for password hashing due to its speed, which makes it susceptible to brute-force attacks.

Steps

Replace the SHA-256 hashing function with bcrypt.
Ensure that the bcrypt work factor is appropriately high to increase the computational cost of cracking the hashes.

Compliant code

def register_user(username, password) do
  hashed_password = Comeonin.Bcrypt.hashpwsalt(password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end

This Elixir function hashes passwords with bcrypt before storing them. bcrypt is a secure hashing function that is resistant to brute-force attacks due to its configurable computational cost.

References

051.Cracked weak credentials

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​