Password Storage Algorithms 2.4.1 revisited #1975
Assignees
Comments
|
I also like @elarlang suggestion from #1812 (comment) if that is still valid. |
It is not valid anymore, as discussed and decided here #1923 (comment) and commited here 76268ea |
|
Yeah we had a lot of back and forth on this and the current position is how we decided. Argon2id is mentioned in the very first bullet of the password storage cheatsheet tl;dr which is what we refer to. If you don't mind, I will close this as a done deal for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We once had specific password storage requirements. While those were removed, I believe including guidance on using a strong, modern password hashing algorithm like Argon2id would be very beneficial to developers.
Argon2id is a widely recommended choice due to its dynamic configuration capability and projected longevity. It would encourage developers to adopt a best-in-class approach for password security.
Therefore, I propose adding a requirement similar to this:
[MODIFIED, MERGED FROM 2.4.3, 2.4.4] Verify that user passwords are stored using an approved password hashing algorithm, such as Argon2id, that is securely configured according to current guidance.
This aligns well with the high-level goals of ASVS 2.4.1 while offering more specific guidance for developers.
The text was updated successfully, but these errors were encountered: