[OWASP-cheat-sheets] OWASP Cheat Sheets Question - Password Hashing
jim.manico at owasp.org
Thu Mar 5 20:33:08 UTC 2015
Sure, do you have a wiki account care to take a crack at it?
On 3/5/15 7:17 AM, Thomas Herzog wrote:
> Hi there,
> I have a general remark. To my opinion there are currently some
> redundancies between the cryptography storage cheat sheet and the
> password storage cheat sheet. Wouldn't it be better to separate more
> these two cheat sheets. I would move everything which refers to
> password storage in particular to the password storage cheat sheet and
> would put a general general reference into the cryptography storage
> cheat sheet (something like: for recommendations regarding password
> storage please see....). In this way you minimize syncing the two
> cheat sheets when you change something and simplify the overall
> Would do you think?
> Best regards,
> On Thu, Mar 5, 2015 at 3:29 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> Thank you for your input!
> > Should I recommend using PBKDF2 for the password hashing algorithm?
> PBKDF2, bcrypt or scrypt ar the goto algorithms for password storage.
> > Are SHA1/SHA-256 references to stale or outdated documentation?
> The are referring to hashing in general, not specific to password
> > 1. There are references to SHA1 and SHA-256 on this web page:
> > Only use approved public algorithms such as AES, RSA public key
> cryptography, and SHA-256 or better for hashing./
> I updated this. better?
>> 2. However, this document does not mention anything regarding
>> SHA, AES, RSA, etc...
>> /Leverage an adaptive one-way function
>> Adaptive one-way functions compute a one-way (irreversible)
>> transform. Each function allows configuration of ‘work factor’.
>> Underlying mechanisms used to achieve irreversibility and govern
>> work factors (such as time, space, and parallelism) vary between
>> functions and remain unimportant to this discussion.
>> PBKDF2 [*4] when FIPS certification or enterprise support on many
>> platforms is required;
>> scrypt [*5] where resisting any/all hardware accelerated attacks
>> is necessary but support isn’t.
>> bcrypt where PBKDF2 or scrypt support is not available./
>> Thanks in advance for your clarification and/or consideration to
>> this request.
>> Kenneth Po
> OWASP-cheat-sheets mailing list
> OWASP-cheat-sheets at lists.owasp.org
> <mailto:OWASP-cheat-sheets at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-cheat-sheets