Store salt values separately
Summary​
The salt values used during the password hashing process must be stored separately from the hashed passwords.
Description​
Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References​
- CWEâ„¢-916. Use of password hash with insufficient computational effort
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
- OWASP SCP-3. Authentication and password management
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.