[OWASP-cheat-sheets] OWASP Cheat Sheets Question - Password Hashing

Thomas Herzog thomas.herzog at owasp.org
Thu Mar 5 17:17:43 UTC 2015


Hi there,
I have a general remark. To my opinion there are currently some
redundancies between the cryptography storage cheat sheet and the password
storage cheat sheet. Wouldn't it be better to separate more these two cheat
sheets. I would move everything which refers to password storage in
particular to the password storage cheat sheet and would put a general
general reference into the cryptography storage cheat sheet (something
like: for recommendations regarding password storage please see....). In
this way you minimize syncing the two cheat sheets when you change
something and simplify the overall maintenance.

Would do you think?

Best regards,
Thomas


On Thu, Mar 5, 2015 at 3:29 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Thank you for your input!
>
> > Should I recommend using PBKDF2 for the password hashing algorithm?
>
> PBKDF2, bcrypt or scrypt ar the goto algorithms for password storage.
>
> > Are SHA1/SHA-256 references to stale or outdated documentation?
>
> The are referring to hashing in general, not specific to password storage.
>
> > 1. There are references to SHA1 and SHA-256 on this web page:
> https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
> * > Only use approved public algorithms such as AES, RSA public key
> cryptography, and SHA-256 or better for hashing.*
>
> I updated this. better?
>
>
> https://www.owasp.org/index.php?title=Cryptographic_Storage_Cheat_Sheet&diff=190828&oldid=187902
>
> Aloha,
> Jim
>
>
> 2. However, this document does not mention anything regarding SHA, AES,
> RSA, etc...
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
>
>
>
>
>
>
>
>
>
> *Leverage an adaptive one-way function Adaptive one-way functions compute
> a one-way (irreversible) transform. Each function allows configuration of
> ‘work factor’. Underlying mechanisms used to achieve irreversibility and
> govern work factors (such as time, space, and parallelism) vary between
> functions and remain unimportant to this discussion. Select: PBKDF2 [*4]
> when FIPS certification or enterprise support on many platforms is
> required; scrypt [*5] where resisting any/all hardware accelerated attacks
> is necessary but support isn’t. bcrypt where PBKDF2 or scrypt support is
> not available.*
>
>
>  Thanks in advance for your clarification and/or consideration to this
> request.
>
>  Kenneth Po
>
>
>
> _______________________________________________
> OWASP-cheat-sheets mailing list
> OWASP-cheat-sheets at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20150305/8c0518ed/attachment.html>


More information about the OWASP-cheat-sheets mailing list