You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
while translating A07:2021, we felt it was a bit weird on the following description:
Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
I can understand plain text, weakly hashed password being part of protecting against failure of identification & authentication password, but encrypted password being part of it, it felt a bit weird. If encrypted password is used as is to gain access, that is understandable, but I though we might need better explanation or elaborate it a bit to make it more clear?
The text was updated successfully, but these errors were encountered:
[A07] translated, wait for issue OWASP#553 and need revised
change list:
A02_2021-Cryptographic_Failures.zh_TW.md
A07_2021-Identification_and_Authentication_Failures.zh_TW.md
Hi @ninedter,
thank you for your issue.
Agreed, it is not about how to handle passwords for technical users used by the server or application itself.
Id' like to discuss two possible small changes to clarify this:
Uses plain text, encrypted, or weakly hashed user passwords
I think the point being made is that applications are supposed to hash passwords rather than encrypt them, since hashing is one-way whereas encryption can be undone. There are some more details in the A02 page:
Store passwords using strong adaptive and salted hashing functions...
while translating A07:2021, we felt it was a bit weird on the following description:
Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
I can understand plain text, weakly hashed password being part of protecting against failure of identification & authentication password, but encrypted password being part of it, it felt a bit weird. If encrypted password is used as is to gain access, that is understandable, but I though we might need better explanation or elaborate it a bit to make it more clear?
The text was updated successfully, but these errors were encountered: