Store salt values separately
Summary
The salt values used during the password hashing process must be stored separately from the hashed passwords.
Description
Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.
References
- CWE-916. Use of password hash with insufficient computational effort
- NIST80063-5_1_1_2. Memorized secret verifiers
- IEC62443-CR-1_7. Strength of password-based authentication
- ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
- OWASPSCP-3. Authentication and password management
- NIST800115-5_1. Password cracking
- SWIFTCSC-4_1. Password policy
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan