135 – Passwords with random salt

Summary

Salt values in passwords must be random and have a minimum length of 48 bits.

Description

By being random and having a minimum length of 48 bits the salt complexity is strong enough to mitigate the risk of a successful attack over the user's password.

Supported In

Essential: True

Advanced: True

References

• CWE-522. Insufficiently protected credentials
• CWE-759. Use of a one-way hash without a salt
• CWE-760. Use of a one-way hash with a predictable salt
• CWE-916. Use of password hash with insufficient computational effort
• CWE-1391. Use of Weak Credentials
• NIST80063-5_1_1_2. Memorized secret verifiers
• IEC62443-CR-1_7. Strength of password-based authentication
• ISSAF-D_8. Network security - Password security testing (countermeasures)
• ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
• OWASPSCP-3. Authentication and password management
• NIST800171-5_10. Store and transmit only cryptographically-protected passwords
• ASVS-2_4_2. Credential storage
• ASVS-2_4_5. Credential storage
• CASA-2_4_5. Credential Storage

Weaknesses

• 245 – Non-encrypted confidential information - Credit Cards
• 246 – Non-encrypted confidential information - DB
• 247 – Non-encrypted confidential information - AWS
• 248 – Non-encrypted confidential information - LDAP
• 249 – Non-encrypted confidential information - Credentials
• 251 – Non-encrypted confidential information - JFROG
• 275 – Non-encrypted confidential information - Local data
• 284 – Non-encrypted confidential information - Base 64
• 378 – Non-encrypted confidential information - Hexadecimal
• 385 – Non-encrypted confidential information - Keys
• 386 – Cross-Site Leak - Frame Counting
• 441 – Non-encrypted confidential information - Azure
• 020 – Non-encrypted confidential information
• 051 – Cracked weak credentials
• 095 – Data uniqueness not properly verified
• 099 – Non-encrypted confidential information - S3 Server Side Encryption

Last updated

2024/01/18