Difference between revisions of "Password Storage Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Password Storage Rules)
m (Password Storage Rules)
Line 6: Line 6:
  
 
== Password Storage Rules ==
 
== Password Storage Rules ==
 +
 +
It is crucial that passwords are stored in a way that they can be *verified* but not *exposed* in any way, even by insiders or administrations. To accomplish this, store the salted hashed value of the password. Preferably use a different random salt for each password hash instead of a constant long salt.  It is recommended that you avoid storing the clear text password or an encrypted version of the password.
  
 
# Use a modern hash
 
# Use a modern hash
Line 13: Line 15:
 
## Isolate the salt from the hash
 
## Isolate the salt from the hash
 
# Iterate the hash
 
# Iterate the hash
 +
 +
== References ==
 +
 +
Cryptographic framework for password hashing is described in [http://www.rsa.com/rsalabs/node.asp?id=2127 PKCS #5 v2.1: Password-Based Cryptography Standard]. Specific secure password hashing algorithms exist such as [http://www.usenix.org/events/usenix99/provos/provos_html/node1.html bcrypt], [http://www.tarsnap.com/scrypt/scrypt.pdf scrypt]. Implementations of secure password hashing exist for PHP ([http://www.openwall.com/phpass/ phpass]), ASP.NET ([http://msdn.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_sensitivedata ASP.NET 2.0 Security Practices]), Java ([http://www.owasp.org/index.php/Hashing_Java OWASP Hashing Java]).
  
 
{{Cheatsheet_Navigation}}
 
{{Cheatsheet_Navigation}}
  
 
[[Category:Cheatsheets]]
 
[[Category:Cheatsheets]]

Revision as of 14:13, 21 September 2011

Contents

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing guidance to storing a passwords in order to help prevent password theft.

Password Storage Rules

It is crucial that passwords are stored in a way that they can be *verified* but not *exposed* in any way, even by insiders or administrations. To accomplish this, store the salted hashed value of the password. Preferably use a different random salt for each password hash instead of a constant long salt. It is recommended that you avoid storing the clear text password or an encrypted version of the password.

  1. Use a modern hash
    1. SHA
    2. bcrypt
  2. Use a long cryptographically random salt
    1. Isolate the salt from the hash
  3. Iterate the hash

References

Cryptographic framework for password hashing is described in PKCS #5 v2.1: Password-Based Cryptography Standard. Specific secure password hashing algorithms exist such as bcrypt, scrypt. Implementations of secure password hashing exist for PHP (phpass), ASP.NET (ASP.NET 2.0 Security Practices), Java (OWASP Hashing Java).

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets