38 lines
677 B
Plaintext
38 lines
677 B
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Noncompliant Code Example
|
||
|
|
|
||
|
|
hashlib
|
||
|
|
----
|
||
|
|
import crypt
|
||
|
|
from hashlib import pbkdf2_hmac
|
||
|
|
|
||
|
|
hash = pbkdf2_hmac('sha256', password, b'D8VxSmTZt2E2YV454mkqAY5e', 100000) # Noncompliant: salt is hardcoded
|
||
|
|
----
|
||
|
|
|
||
|
|
crypt
|
||
|
|
----
|
||
|
|
hash = crypt.crypt(password) # Noncompliant: salt is not provided
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
hashlib
|
||
|
|
----
|
||
|
|
import crypt
|
||
|
|
from hashlib import pbkdf2_hmac
|
||
|
|
|
||
|
|
salt = os.urandom(32)
|
||
|
|
hash = pbkdf2_hmac('sha256', password, salt, 100000) # Compliant
|
||
|
|
----
|
||
|
|
|
||
|
|
crypt
|
||
|
|
----
|
||
|
|
salt = crypt.mksalt(crypt.METHOD_SHA256)
|
||
|
|
hash = crypt.crypt(password, salt) # Compliant
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|