[OWASP-cheat-sheets] OWASP Cheat Sheets Question - Password Hashing

Jim Manico jim.manico at owasp.org
Thu Mar 5 14:29:05 UTC 2015

Thank you for your input!

 > Should I recommend using PBKDF2 for the password hashing algorithm?

PBKDF2, bcrypt or scrypt ar the goto algorithms for password storage.

 > Are SHA1/SHA-256 references to stale or outdated documentation?

The are referring to hashing in general, not specific to password storage.

 > 1. There are references to SHA1 and SHA-256 on this web 
page: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet/
 > Only use approved public algorithms such as AES, RSA public key 
cryptography, and SHA-256 or better for hashing./

I updated this. better?


> 2. However, this document does not mention anything regarding SHA, 
> AES, RSA, etc...
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
> /Leverage an adaptive one-way function
> Adaptive one-way functions compute a one-way (irreversible) transform. 
> Each function allows configuration of ‘work factor’. Underlying 
> mechanisms used to achieve irreversibility and govern work factors 
> (such as time, space, and parallelism) vary between functions and 
> remain unimportant to this discussion.
> Select:
> PBKDF2 [*4] when FIPS certification or enterprise support on many 
> platforms is required;
> scrypt [*5] where resisting any/all hardware accelerated attacks is 
> necessary but support isn’t.
> bcrypt where PBKDF2 or scrypt support is not available./
> /
> /
> Thanks in advance for your clarification and/or consideration to this 
> request.
> Kenneth Po

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20150305/372c8c31/attachment.html>

More information about the OWASP-cheat-sheets mailing list