Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 18:58, 14 February 2011
, 14 February 2011→PROPOSED STANDARD
| Line 84: | Line 84: | ||
Separate from the password policy, we should have the following standards when it comes to storing passwords | Separate from the password policy, we should have the following standards when it comes to storing passwords | ||
* Passwords stored in a database should use the following format. | * Passwords stored in a database should use the following format. | ||
* Private salt of 20 chars in addition to the per user salt | ** sha512 hashing | ||
* Private salt would be system only and not stored with user hash or in the databases. | ** Unique per user salt | ||
* Need the ability to change/rotate hashes | ** Private system salt of 20 chars in addition to the per user salt | ||
** Private system salt would be system only and not stored with user hash or in the databases. | |||
** Need the ability to change/rotate hashes | |||
It would look something like this: | It would look something like this: | ||
| Line 98: | Line 100: | ||
* privateSystemSalt examples | * privateSystemSalt examples | ||
* privateSystemSalt["2010-10-13"] = "01234567890123456789"; // legacy | * privateSystemSalt["2010-10-13"] = "01234567890123456789"; // legacy privateSystemSalt | ||
* privateSystemSalt["2011-01-01"] = "214bg423df214bg423df"; // legacy privateSystemSalt 2 | |||
* privateSystemSalt["2011-01-01"] = "214bg423df214bg423df"; // legacy | * privateSystemSalt["2011-01-11"] = "^&*Fer3fcj^&*FDF3fc_"; // current | ||
* privateSystemSalt["2011-01-11"] = "^&* | |||
===== Background ===== | ===== Background ===== | ||
I have data on why we are not using bcrypt or something like it. This will be published shortly. | I have data on why we are not using bcrypt or something like it. This will be published shortly. | ||
====Migration==== | ====Migration==== | ||