mirror of
https://github.com/github/codeql.git
synced 2026-04-17 04:54:02 +02:00
56 lines
1.5 KiB
XML
56 lines
1.5 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
Storing cryptographic hashes of passwords is standard security
|
|
practice, but it is equally important to select the right
|
|
hashing scheme.
|
|
|
|
If an attacker obtains the hashed passwords of an application,
|
|
the password hashing scheme should still prevent the attacker
|
|
from easily obtaining the original cleartext passwords.
|
|
</p>
|
|
|
|
<p>
|
|
A good password hashing scheme requires a computation that
|
|
cannot be done efficiently. Standard hashing schemes, such as
|
|
<code>md5</code> or <code>sha1</code>, are efficiently
|
|
computable, and are therefore not suitable for password
|
|
hashing.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Use a secure password hashing scheme such as
|
|
<code>bcrypt</code>, <code>scrypt</code>, <code>PBKDF2</code>,
|
|
or <code>Argon2</code>.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
In the example below, the <code>md5</code> algorithm computes
|
|
the hash of a password.
|
|
</p>
|
|
|
|
<sample src="examples/InsufficientPasswordHash.js"/>
|
|
|
|
<p>
|
|
This is not secure, since the password can be efficiently
|
|
cracked by an attacker that obtains the hash. A more secure
|
|
scheme is to hash the password with the <code>bcrypt</code>
|
|
algorithm:
|
|
</p>
|
|
|
|
<sample src="examples/InsufficientPasswordHash_fixed.js"/>
|
|
</example>
|
|
|
|
<references>
|
|
<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password storage</a>.</li>
|
|
</references>
|
|
</qhelp>
|