Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A07:2021 Identification and Authentication Failure clarification needed #553

Open
ninedter opened this issue Sep 11, 2021 · 3 comments
Open

A07:2021 Identification and Authentication Failure clarification needed #553

ninedter opened this issue Sep 11, 2021 · 3 comments
Assignees
@sslHello
Labels
A7

Comments

@ninedter
Copy link
Contributor

ninedter commented Sep 11, 2021
edited
Loading

while translating A07:2021, we felt it was a bit weird on the following description:

Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).

I can understand plain text, weakly hashed password being part of protecting against failure of identification & authentication password, but encrypted password being part of it, it felt a bit weird. If encrypted password is used as is to gain access, that is understandable, but I though we might need better explanation or elaborate it a bit to make it more clear?
sandyiliu3d pushed a commit to ninedter/Top10 that referenced this issue Sep 12, 2021
[A02] wording amendment
1475fe6 
[A07] translated, wait for issue OWASP#553 and need revised

change list:
 A02_2021-Cryptographic_Failures.zh_TW.md
 A07_2021-Identification_and_Authentication_Failures.zh_TW.md
@sandyiliu3d sandyiliu3d mentioned this issue Sep 12, 2021
Merged
@sslHello
Copy link
Collaborator

Hi @ninedter,
thank you for your issue.
Agreed, it is not about how to handle passwords for technical users used by the server or application itself.
Id' like to discuss two possible small changes to clarify this:

  • Uses plain text, encrypted, or weakly hashed user passwords
  • Uses plain text, encrypted, or weakly hashed password databases
    Cheers Torsten

@sslHello sslHello added the A7 label Sep 22, 2021
@vanderaj
Copy link
Member

data stores for the win

sslHello added a commit that referenced this issue Sep 23, 2021
@sslHello
A07:2021 Identification and Authentication Failure clarification needed
0d63625 
#553
@szh
Copy link

szh commented Nov 6, 2022

I think the point being made is that applications are supposed to hash passwords rather than encrypt them, since hashing is one-way whereas encryption can be undone. There are some more details in the A02 page:

Store passwords using strong adaptive and salted hashing functions...

CWE-328 Reversible One-Way Hash

So encrypting passwords, no matter what kind of encryption is used, is inherently weaker than hashing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sslHello sslHello

Labels
A7
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@szh @vanderaj @sslHello @ninedter