3
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
Jump to navigation
Jump to search
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 10:00, 12 October 2011
, 12 October 2011Small clarification on the secureness of bcrypt.
(Using HMAC + bcrypt has absolutely zero advantage over using plain bcrypt. In fact, it's as stupid as hashing a hash. HMAC is meant for weak algorithms such as the SHA family.) |
(Small clarification on the secureness of bcrypt.) |
||
| Line 89: | Line 89: | ||
* http://yorickpeterse.com/articles/use-bcrypt-fool/ | * http://yorickpeterse.com/articles/use-bcrypt-fool/ | ||
* https://en.wikipedia.org/wiki/Bcrypt | * https://en.wikipedia.org/wiki/Bcrypt | ||
Keep in mind that while bcrypt is secure you should still enforce good passwords. | |||
As slow as an algorithm may be if a password is "123" it still would only take a | |||
short amount of time before somebody figures it out. | |||
==== Old Password Hashes ==== | ==== Old Password Hashes ==== | ||
* Password hashes older than a year should be deleted from the system. | * Password hashes older than a year should be deleted from the system. | ||
* After a password hash migration, old hashes should be removed within 3 months if user has yet to log in for the conversion process. | * After a password hash migration, old hashes should be removed within 3 months if user has yet to log in for the conversion process. | ||
====Migration==== | ====Migration==== | ||
The following process can be used to migrate an application that is using a different hashing algorithm than the standard hash listed above. The benefits of this approach is that it instantly upgrades all hashes to the strong, recommended hashing algorithm and it does not require users to reset their passwords. | The following process can be used to migrate an application that is using a different hashing algorithm than the standard hash listed above. The benefits of this approach is that it instantly upgrades all hashes to the strong, recommended hashing algorithm and it does not require users to reset their passwords. | ||