Need

Prevent unauthorized access by securely hashing and storing passwords.

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
• Usage of Comeonin library for hashing

Description

Non compliant code

        def register_user(username, password) do
  hashed_password = :crypto.hash(:sha256, password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end
        
        

This Elixir function hashes passwords with the SHA-256 function before storing them. While SHA-256 is not inherently insecure, it is not suitable for password hashing due to its speed, which makes it susceptible to brute-force attacks.

Steps

• Replace the SHA-256 hashing function with bcrypt.
• Ensure that the bcrypt work factor is appropriately high to increase the computational cost of cracking the hashes.

Compliant code

        def register_user(username, password) do
  hashed_password = Comeonin.Bcrypt.hashpwsalt(password)
  User.changeset(%User{}, %{username: username, password: hashed_password})
  |> Repo.insert()
end
        
        

This Elixir function hashes passwords with bcrypt before storing them. bcrypt is a secure hashing function that is resistant to brute-force attacks due to its configurable computational cost.

References

• 051. Cracked weak credentials