Store passwords with salt
Summary
The system must store passwords with different key derivations (salt).
Description
empty
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Machine | 🟢 |
Squad | 🟢 |
References
- CIS-3_11. Encrypt sensitive data at rest
- CWE™-522. Insufficiently protected credentials
- CWE™-759. Use of a one-way hash without a salt
- CWE™-760. Use of a one-way hash with a predictable salt
- CWE™-916. Use of password hash with insufficient computational effort
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- CMMC-IA_L2-3_5_10. Cryptographically-protected passwords
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- BSAFSS-SI_1-5. Avoid architectural weaknesses of authentication failure
- OWASP MASVS-V4_5. Authentication and session management requirements - Password policy
- NIST 800-171-5_10. Store and transmit only cryptographically-protected passwords
- CWE TOP 25-798. Use of hard-coded credentials
- OWASP ASVS-2_4_1. Credential storage
- C2M2-4_1_d. Establish identities and manage authentication
- OWASP ASVS-2_10_3. Service authentication
- OWASP API Security Top 10-API7. Security Misconfiguration
- CASA-2_4_1. Credential Storage
- CASA-2_10_3. Service Authentication
Vulnerabilities
- 020. Non-encrypted confidential information
- 051. Cracked weak credentials
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 251. Non-encrypted confidential information - JFROG
- 275. Non-encrypted confidential information - Local data
- 284. Non-encrypted confidential information - Base 64
- 378. Non-encrypted confidential information - Hexadecimal
- 385. Non-encrypted confidential information - Keys
- 386. Cross-Site Leak - Frame Counting
- 441. Non-encrypted confidential information - Azure
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.