Store salt values separately
Summary
The salt values used during the password hashing process must be stored separately from the hashed passwords.
Description
Adding random salt to a password as part of the hashing process drastically increases the time required to crack that password. Salt values should be stored in a system different from the one in which hashed passwords are stored so that if the hashes are breached, an attacker still has to test every possible salt value in order to crack a single password.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWEâ„¢-916. Use of password hash with insufficient computational effort
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)
- OWASP SCP-3. Authentication and password management
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.