Cracked Weak Credentials - Elixir

Cracked Weak Credentials - Elixir

Need

Prevent unauthorized access by securely hashing and storing passwords.

Context

  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of Comeonin library for hashing

Description

Non compliant code

        def register_user(username, password) do
  hashed_password = :crypto.hash(:sha256, password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end
        
        

This Elixir function hashes passwords with the SHA-256 function before storing them. While SHA-256 is not inherently insecure, it is not suitable for password hashing due to its speed, which makes it susceptible to brute-force attacks.

Steps

  • Replace the SHA-256 hashing function with bcrypt.
  • Ensure that the bcrypt work factor is appropriately high to increase the computational cost of cracking the hashes.

Compliant code

        def register_user(username, password) do
  hashed_password = Comeonin.Bcrypt.hashpwsalt(password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end
        
        

This Elixir function hashes passwords with bcrypt before storing them. bcrypt is a secure hashing function that is resistant to brute-force attacks due to its configurable computational cost.

References