Password Storage 2.4.1 - Githubissues

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.74k stars 667 forks source link

Password Storage 2.4.1 #2220

Closed jmanico closed 1 day ago

jmanico commented 1 day ago

Can we at least add 2.4.1	[MODIFIED, MERGED FROM 2.4.3, 2.4.4] Verify that user passwords are stored using an approved password hashing algorithm that is securely configured according to current guidance. Argon2id should be used over other password hashing algorithms, as it is currently recommended for its resistance to side-channel attacks and its customizable memory, CPU, and parallelism parameters.		✓	✓	916	5.1.1.2

jmanico commented 1 day ago

If any of you are frustrated on this, I am prepared to settle this by invoking the ancient rite of combat.

tghosth commented 1 day ago

How about an archery challenge :) https://www.centerparcs.co.uk/discover-center-parcs/things-to-do/activities/archery-adventure.html

jmanico commented 1 day ago

I pref the crossbow https://www.centerparcs.co.uk/discover-center-parcs/things-to-do/activities/mini-crossbows.html

tghosth commented 1 day ago

So I am resistant to including this in the requirement because I don't think you should fail the requirement if you are using carefully and securely configured bcrypt.

On the other hand, maybe you can mention in the section text/intro that argon2id is the current preference?

jmanico commented 1 day ago

I am ok with that