Cracked Weak Credentials - Elixir

Need

Prevent unauthorized access by securely hashing and storing passwords.

Context

1. Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
2. Usage of Comeonin library for hashing

Description

Insecure Code Example

def register_user(username, password) do
  hashed_password = :crypto.hash(:sha256, password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end

This Elixir function hashes passwords with the SHA-256 function before storing them. While SHA-256 is not inherently insecure, it is not suitable for password hashing due to its speed, which makes it susceptible to brute-force attacks.

Steps

1. Replace the SHA-256 hashing function with bcrypt.
2. Ensure that the bcrypt work factor is appropriately high to increase the computational cost of cracking the hashes.

Secure Code Example

def register_user(username, password) do
  hashed_password = Comeonin.Bcrypt.hashpwsalt(password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end

This Elixir function hashes passwords with bcrypt before storing them. bcrypt is a secure hashing function that is resistant to brute-force attacks due to its configurable computational cost.

References

Last updated

2023/09/18