Summary

Passwords must be hashed before being stored using secure hash algorithms such as `PBKDF2` and `bcrypt`.

Description

A hash function maps data of arbitrary size to fixed-size values. It conceals sensitive information as it is often not possible to reverse hashed texts. Hashing passwords helps to prevent unauthorized actors from obtaining them when accessing the storage system.

References

• CWE-256. Plaintext storage of a password
• CWE-521. Weak password requirements
• CWE-916. Use of password hash with insufficient computational effort
• NIST80063-5_1_1_2. Memorized secret verifiers
• MITRE-M1027. Password policies
• PADSS-2_3. Render PAN unreadable anywhere it is stored
• SANS25-18. Use of hard-coded credentials
• CMMC-IA_L2-3_5_10. Cryptographically-protected passwords
• CMMC-SC_L2-3_13_4. Shared resource control
• ISO27002-5_17. Authentication information
• IEC62443-CR-1_7. Strength of password-based authentication
• ISSAF-D_8. Network security - Password security testing (countermeasures)
• ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
• MVSP-2_4. Application design controls - Password policy
• OWASPSCP-3. Authentication and password management
• BSAFSS-IA_1-2. Software development environment authenticates users and operators
• CWE25-798. Use of hard-coded credentials
• NIST800115-5_1. Password cracking
• SWIFTCSC-4_1. Password policy
• ASVS-2_4_1. Credential storage
• ASVS-2_4_3. Credential storage
• ASVS-2_4_4. Credential storage
• C2M2-4_1_d. Establish identities and manage authentication
• PCI-3_5_1. Primary account number (PAN) is secured wherever it is stored
• SIG-H_3_3. Access control
• SIG-H_3_3_1. Access control
• SIG-U_1_9_16. Server security
• ISO27001-5_17. Authentication information
• CASA-2_4_1. Credential Storage
• CASA-2_4_3. Credential Storage