WebAppSec/Secure Coding Guidelines: Difference between revisions

WebAppSec/Secure Coding Guidelines (view source)

Revision as of 03:00, 4 January 2011

1 byte removed , 4 January 2011

→‎Password Storage

Mcoates

Confirmed users

491

edits

@@ Line 87: / Line 87: @@
 ===Password Storage===
 * Passwords stored in a database should using the following format that leverages secure hashing and a per user salt.
-   * Every new password stored in a form like {algo}-{salt}-{hash}
+   * Every new password stored in a form like {algo}${salt}${hash}
-     * {algo} is {SHA-512},
+     * {algo} is {sha512},
      * {salt} is a salt unique per-user,
      * {hash} is algo(salt + password)
@@ Line 99: / Line 99: @@
 Migrate all password hashes entries in the database as follows. This is a one time, offline migration.
-Stored in databases in form: {algo}-{salt}-{migration_hash}
+Stored in databases in form: {algo}${salt}${migration_hash}
-     * {algo} is {SHA512+MD5},
+     * {algo} is {sha512+MD5},
      * {salt} is a salt unique per-user,
      * {migration_hash} is SHA512(salt + existingPasswordHash)
@@ Line 108: / Line 108: @@
 '''New Login Process'''<br>
-. Attempt to login user with migration hash. This involves performing the old password hash procedure then adding the salt and finally performing the SHA512.
+. Attempt to login user with migration hash. This involves performing the old password hash procedure then adding the salt and finally performing the sha512.
   Example: Old password hash process is md5
-  Migration Hash = SHA512(perUserSalt + md5(user supplied password))
+  Migration Hash = sha512(perUserSalt + md5(user supplied password))
 . If authentication via migration hash is successful:
 - Use the user's provided password and calculate the New Hash per the algorithm defined above.

WebAppSec/Secure Coding Guidelines: Difference between revisions

WebAppSec/Secure Coding Guidelines (view source)

Revision as of 03:00, 4 January 2011

Navigation menu

Search