333 – Store salt values separately

Summary

The salt values used during the password hashing process must be stored separately from the hashed passwords.

Description

Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.

Supported In

Advanced: True

References

• CWE-916. Use of password hash with insufficient computational effort
• NIST80063-5_1_1_2. Memorized secret verifiers
• IEC62443-CR-1_7. Strength of password-based authentication
• ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
• OWASPSCP-3. Authentication and password management
• NIST800115-5_1. Password cracking
• SWIFTCSC-4_1. Password policy

Last updated

2023/09/18