Store hashed passwords
Summary
Passwords must be hashed before being stored using secure hash algorithms such as PBKDF2 and bcrypt.
Description
A hash function maps data of arbitrary size to fixed-size values. It conceals sensitive information as it is often not possible to reverse hashed texts. Hashing passwords helps to prevent unauthorized actors from obtaining them when accessing the storage system.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWE™-256. Plaintext storage of a password
- CWE™-521. Weak password requirements
- CWE™-916. Use of password hash with insufficient computational effort
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- MITRE ATT&CK®-M1027. Password policies
- PA-DSS-2_3. Render PAN unreadable anywhere it is stored
- SANS 25-18. Use of hard-coded credentials
- CMMC-IA_L2-3_5_10. Cryptographically-protected passwords
- CMMC-SC_L2-3_13_4. Shared resource control
- ISO/IEC 27002-5_17. Authentication information
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- BSAFSS-IA_1-2. Software development environment authenticates users and operators
- CWE TOP 25-798. Use of hard-coded credentials
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_4_1. Credential storage
- OWASP ASVS-2_4_3. Credential storage
- OWASP ASVS-2_4_4. Credential storage
- C2M2-4_1_d. Establish identities and manage authentication
- PCI DSS-3_5_1. Primary account number (PAN) is secured wherever it is stored
- SIG Core-H_3_3. Access control
- SIG Core-H_3_3_1. Access control
- SIG Core-U_1_9_16. Server security
- ISO/IEC 27001-5_17. Authentication information
- CASA-2_4_1. Credential Storage
- CASA-2_4_3. Credential Storage
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.