Passwords with random salt
Summary
Salt values in passwords must be random and have a minimum length of 48 bits.
Description
empty
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-522. Insufficiently protected credentials
- CWE™-759. Use of a one-way hash without a salt
- CWE™-760. Use of a one-way hash with a predictable salt
- CWE™-916. Use of password hash with insufficient computational effort
- CWE™-1391. Use of Weak Credentials
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
- OWASP SCP-3. Authentication and password management
- OWASP MASVS-V4_5. Authentication and session management requirements - Password policy
- NIST 800-171-5_10. Store and transmit only cryptographically-protected passwords
- OWASP ASVS-2_4_2. Credential storage
- OWASP ASVS-2_4_5. Credential storage
- CASA-2_4_5. Credential Storage
Vulnerabilities
- 020. Non-encrypted confidential information
- 051. Cracked weak credentials
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 251. Non-encrypted confidential information - JFROG
- 275. Non-encrypted confidential information - Local data
- 284. Non-encrypted confidential information - Base 64
- 378. Non-encrypted confidential information - Hexadecimal
- 385. Non-encrypted confidential information - Keys
- 386. Cross-Site Leak - Frame Counting
- 441. Non-encrypted confidential information - Azure
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.