This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Password Storage Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Password Storage Rules)
m (Point to the official site)
 
(90 intermediate revisions by 13 users not shown)
Line 1: Line 1:
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
+
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
= Introduction =
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
This article is focused on providing guidance to storing a passwords in order to help prevent password theft.
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html Password Storage Cheat Sheet] to see the latest version of the cheat sheet.
 
 
== Password Storage Rules ==
 
 
 
It is crucial that passwords are stored in a way that they can be *verified* but not *exposed* in any way, even by insiders or administrations. To accomplish this, store the salted hashed value of the password. Preferably use a different random salt for each password hash instead of a constant long salt.  It is recommended that you avoid storing the clear text password or an encrypted version of the password.
 
 
 
# Use a modern hash
 
## SHA
 
## bcrypt
 
# Use a long cryptographically random salt
 
## Isolate the salt from the hash
 
# Iterate the hash
 
 
 
== References ==
 
 
 
Cryptographic framework for password hashing is described in [http://www.rsa.com/rsalabs/node.asp?id=2127 PKCS #5 v2.1: Password-Based Cryptography Standard]. Specific secure password hashing algorithms exist such as [http://www.usenix.org/events/usenix99/provos/provos_html/node1.html bcrypt], [http://www.tarsnap.com/scrypt/scrypt.pdf scrypt]. Implementations of secure password hashing exist for PHP ([http://www.openwall.com/phpass/ phpass]), ASP.NET ([http://msdn.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_sensitivedata ASP.NET 2.0 Security Practices]), Java ([http://www.owasp.org/index.php/Hashing_Java OWASP Hashing Java]).
 
 
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 14:20, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Password Storage Cheat Sheet to see the latest version of the cheat sheet.

Retrieved from "https://wiki.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&oldid=253039"