Credential Storage
V2.4.1
Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. (C6)
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 916
V2.4.2
Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. (C6)
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 916
V2.4.3
Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. (C6)
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 916
V2.4.4
Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, with a minimum of 10. (C6)
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 916
V2.4.5
Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module).
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 916
Disclaimer:
Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.
Loading comments 0%