-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathInsufficientPasswordHash.qhelp
More file actions
55 lines (46 loc) · 1.46 KB
/
InsufficientPasswordHash.qhelp
File metadata and controls
55 lines (46 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Storing cryptographic hashes of passwords is standard security
practice, but it is equally important to select the right
hashing scheme.
If an attacker obtains the hashed passwords of an application,
the password hashing scheme should still prevent the attacker
from easily obtaining the original cleartext passwords.
</p>
<p>
A good password hashing scheme requires a computation that
cannot be done efficiently. Standard hashing schemes, such as
<code>md5</code> or <code>sha1</code>, are efficiently
computable, and are therefore not suitable for password
hashing.
</p>
</overview>
<recommendation>
<p>
Use a secure password hashing scheme such as
<code>bcrypt</code>, <code>scrypt</code>, <code>PBKDF2</code>,
or <code>Argon2</code>.
</p>
</recommendation>
<example>
<p>
In the example below, the <code>md5</code> algorithm computes
the hash of a password.
</p>
<sample src="examples/InsufficientPasswordHash.js"/>
<p>
This is not secure, since the password can be efficiently
cracked by an attacker that obtains the hash. A more secure
scheme is to hash the password with the <code>bcrypt</code>
algorithm:
</p>
<sample src="examples/InsufficientPasswordHash_fixed.js"/>
</example>
<references>
<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password storage</a>.</li>
</references>
</qhelp>