In production, passwords should be salted (+peppered) in addition to the existing hashing algorithm. The salt can be hardcoded through an environment variable in the dev stack and when testing, but in production the salt should come from an environment variable separate from our IaaS manifests.
Salting is a strong recommendation by the NIST, which serves as the foundation for the regulations associated with HIPAA. Applying peppering to passwords is also considered a good practice by the NIST.
Implementation
[ ] In AuthenticationService salt a new user's password based on the environment salt.
[ ] In AuthenticationService pass through several fields from the UserDTO and use an environment variable to select which field will be used as the pepper.
[ ] Implement salt and pepper mechanisms above in the login logic in SecurityConfig.java.
[ ] (OPTIONAL) If user accounts already exist on production, either delete them or force a password reset.
[ ] Create SECURITY_SALT environment variable on Heroku, GHA, and dev-stack.
[ ] Write unit tests to verify that the new hashing algorithm is non-deterministic and idempotent (i.e. the algorithm will always return the same hard-coded result if the same password, salt, UserDTO, and "pepper field" are passed in).
Summary
In production, passwords should be salted (+peppered) in addition to the existing hashing algorithm. The salt can be hardcoded through an environment variable in the dev stack and when testing, but in production the salt should come from an environment variable separate from our IaaS manifests.
Salting is a strong recommendation by the NIST, which serves as the foundation for the regulations associated with HIPAA. Applying peppering to passwords is also considered a good practice by the NIST.
Implementation
AuthenticationServicesalt a new user's password based on the environment salt.AuthenticationServicepass through several fields from the UserDTO and use an environment variable to select which field will be used as the pepper.SecurityConfig.java.SECURITY_SALTenvironment variable on Heroku, GHA, and dev-stack.UserDTO, and "pepper field" are passed in).