Cracked Weak Credentials
Need
Prevent unauthorized access by securely hashing and storing passwords.
Context
- Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
- Usage of Comeonin library for hashing
Description
Non compliant code
def register_user(username, password) do
hashed_password = :crypto.hash(:sha256, password)
User.changeset(%User{}, %{username: username, password: hashed_password})
|> Repo.insert()
end
This Elixir function hashes passwords with the SHA-256 function before storing them. While SHA-256 is not inherently insecure, it is not suitable for password hashing due to its speed, which makes it susceptible to brute-force attacks.
Steps
- Replace the SHA-256 hashing function with bcrypt.
- Ensure that the bcrypt work factor is appropriately high to increase the computational cost of cracking the hashes.
Compliant code
def register_user(username, password) do
hashed_password = Comeonin.Bcrypt.hashpwsalt(password)
User.changeset(%User{}, %{username: username, password: hashed_password})
|> Repo.insert()
end
This Elixir function hashes passwords with bcrypt before storing them. bcrypt is a secure hashing function that is resistant to brute-force attacks due to its configurable computational cost.