The salt values used during the password hashing process must be stored separately from the hashed passwords.
Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.
This requirement is verified in following services
- CWE™-916. Use of password hash with insufficient computational effort
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
- OWASP SCP-3. Authentication and password management
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.