Summary

Salt values in passwords must be random and have a minimum length of 48 bits.

Description

By being random and having a minimum length of 48 bits the salt complexity is strong enough to mitigate the risk of a successful attack over the user's password.

References

• CWE-522. Insufficiently protected credentials
• CWE-759. Use of a one-way hash without a salt
• CWE-760. Use of a one-way hash with a predictable salt
• CWE-916. Use of password hash with insufficient computational effort
• CWE-1391. Use of Weak Credentials
• NIST80063-5_1_1_2. Memorized secret verifiers
• IEC62443-CR-1_7. Strength of password-based authentication
• ISSAF-D_8. Network security - Password security testing (countermeasures)
• ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
• OWASPSCP-3. Authentication and password management
• NIST800171-5_10. Store and transmit only cryptographically-protected passwords
• ASVS-2_4_2. Credential storage
• ASVS-2_4_5. Credential storage
• CASA-2_4_5. Credential Storage

Weaknesses

• 020. Non-encrypted confidential information
• 051. Cracked weak credentials
• 095. Data uniqueness not properly verified
• 099. Non-encrypted confidential information - S3 Server Side Encryption
• 245. Non-encrypted confidential information - Credit Cards
• 246. Non-encrypted confidential information - DB
• 247. Non-encrypted confidential information - AWS
• 248. Non-encrypted confidential information - LDAP
• 249. Non-encrypted confidential information - Credentials
• 251. Non-encrypted confidential information - JFROG
• 275. Non-encrypted confidential information - Local data
• 284. Non-encrypted confidential information - Base 64
• 378. Non-encrypted confidential information - Hexadecimal
• 385. Non-encrypted confidential information - Keys
• 386. Cross-Site Leak - Frame Counting
• 441. Non-encrypted confidential information - Azure