Open appills opened 8 months ago
So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)
https://github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md#v24-credential-storage
This section cannot be penetration tested, so controls are not marked as L1. However, this section is of vital importance to the security of credentials if they are stolen, so if forking the ASVS for an architecture or coding guideline or source code review checklist, please place these controls back to L1 in your private version.
Requirement itself: | # | Description | L1 | L2 | L3 | CWE | NIST § |
---|---|---|---|---|---|---|---|
2.4.1 | [MODIFIED] Verify that one of the following password hashing functions is used when storing the user's password for the application: argon2id, scrypt, bcrypt or PBKDF2. (C6) | ✓ | ✓ | 916 | 5.1.1.2 |
In general I agree it should be level 1, but based on level description for ASVS v4.0.* it is defined as level 2 and the reason is also described in the section.
So at the moment I see it as duplicate of https://github.com/OWASP/ASVS/issues/1495
So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)
Hehe good point, I should've copied the text from the section (& probably read that it states to "Verify", which of course there's probably someone out there doing 100k md5's and that might be timing-indistinguishable)
@Sjord brings up a valid point in that #1495 thread:
For me, the levels relate to the security requirements of your application. If you are building a nuclear missile launch system, you would comply to L3. If you are building a tic-tac-toe website, you would comply to L1.
I'll continue my separate thought over there, thank you!
I don't close it at the moment, just marked it as "level question". If we can declare the levels on one nice day, we need to recheck those issues as well.
2.4.1
Application Security Verification Levels:
Insecure password storage or insecure credential handling can be tested by a human in at least one method, such as detecting non-timing-safe string comparisons. Secure password hashing is surely testable as a human from a black box and can be inferred to some extent based on response timing.
Using ASVS for Level 1 states:
And insecure password hashing, storage, and non-timing-safe string comparisons surely fall under A02 Cryptographic Failures