Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
→Password Storage
| Line 68: | Line 68: | ||
===Password Storage=== | ===Password Storage=== | ||
Separate from the password policy, we should have the following standards when it comes to storing passwords | Separate from the password policy, we should have the following standards when it comes to storing passwords: | ||
* Passwords stored in a database should using the hmac+bcrypt function. | * Passwords stored in a database should using the hmac+bcrypt function. | ||
The purpose of hmac and bcrypt storage is as follows: | |||
* bcrypt provides a hashing mechanism which can be configured to consume sufficient time to prevent brute forcing of hash values even with many computers | |||
* bcrypt can be easily adjusted at any time to increase the amount of work and thus provide protection against more powerful systems | |||
* The nonce for the hmac value is designed to be stored on the file system and not in the databases storing the password hashes. In the event of a compromise of hash values due to SQL injection, the nonce will still be an unknown value since it would not be compromised from the file system. This significantly increases the complexity of brute forcing the compromised hashes considering both bcrypt and a large unknown nonce value | |||
* The hmac operation is simply used as a secondary defense in the event their is a future computational risk with bcrypt that could leak information about the password or aid an attacker | |||
A sample of this code is here: https://github.com/fwenzel/django-sha2 | A sample of this code is here: https://github.com/fwenzel/django-sha2 | ||