[OWASP-cheat-sheets] OWASP Cheat Sheets Question - Password Hashing

Jim Manico jim.manico at owasp.org
Thu Mar 5 20:33:08 UTC 2015


Sure, do you have a wiki account care to take a crack at it?
- Jim

On 3/5/15 7:17 AM, Thomas Herzog wrote:
> Hi there,
> I have a general remark. To my opinion there are currently some 
> redundancies between the cryptography storage cheat sheet and the 
> password storage cheat sheet. Wouldn't it be better to separate more 
> these two cheat sheets. I would move everything which refers to 
> password storage in particular to the password storage cheat sheet and 
> would put a general general reference into the cryptography storage 
> cheat sheet (something like: for recommendations regarding password 
> storage please see....). In this way you minimize syncing the two 
> cheat sheets when you change something and simplify the overall 
> maintenance.
>
> Would do you think?
>
> Best regards,
> Thomas
>
>
> On Thu, Mar 5, 2015 at 3:29 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Thank you for your input!
>
>     > Should I recommend using PBKDF2 for the password hashing algorithm?
>
>     PBKDF2, bcrypt or scrypt ar the goto algorithms for password storage.
>
>     > Are SHA1/SHA-256 references to stale or outdated documentation?
>
>     The are referring to hashing in general, not specific to password
>     storage.
>
>     > 1. There are references to SHA1 and SHA-256 on this web page:
>     https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet/
>     > Only use approved public algorithms such as AES, RSA public key
>     cryptography, and SHA-256 or better for hashing./
>
>     I updated this. better?
>
>     https://www.owasp.org/index.php?title=Cryptographic_Storage_Cheat_Sheet&diff=190828&oldid=187902
>
>     Aloha,
>     Jim
>>
>>     2. However, this document does not mention anything regarding
>>     SHA, AES, RSA, etc...
>>     https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
>>
>>     /Leverage an adaptive one-way function
>>
>>     Adaptive one-way functions compute a one-way (irreversible)
>>     transform. Each function allows configuration of ‘work factor’.
>>     Underlying mechanisms used to achieve irreversibility and govern
>>     work factors (such as time, space, and parallelism) vary between
>>     functions and remain unimportant to this discussion.
>>
>>     Select:
>>
>>     PBKDF2 [*4] when FIPS certification or enterprise support on many
>>     platforms is required;
>>     scrypt [*5] where resisting any/all hardware accelerated attacks
>>     is necessary but support isn’t.
>>     bcrypt where PBKDF2 or scrypt support is not available./
>>     /
>>     /
>>
>>     Thanks in advance for your clarification and/or consideration to
>>     this request.
>>
>>     Kenneth Po
>
>
>     _______________________________________________
>     OWASP-cheat-sheets mailing list
>     OWASP-cheat-sheets at lists.owasp.org
>     <mailto:OWASP-cheat-sheets at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20150305/4d8eb98c/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list