rspec/rules/S5344/common/fix/password-hashing.adoc

==== Use secure password hashing algorithms

In general, you should rely on an algorithm that has no known security
vulnerabilities. The MD5 and SHA-1 algorithms should not be used.

Some algorithms, such as the SHA family functions, are considered strong for
some use cases, but are too fast in computation and therefore vulnerable to
brute force attacks, especially with bruteforce-attack-oriented hardware.

To protect passwords, it is therefore important to choose modern, slow
password-hashing algorithms. The following algorithms are, in order of strength,
the most secure password hashing algorithms to date:

. Argon2
. scrypt
. bcrypt
. PBKDF2

Argon2 should be the best choice, and others should be used when the previous
one is not available. For systems that must use FIPS-140-certified algorithms,
PBKDF2 should be used.

Whenever possible, choose the strongest algorithm available. If the algorithm
currently used by your system should be upgraded, OWASP documents possible
upgrade methods here:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes[Upgrading Legacy Hashes].
Create rule S5344(python): Passwords should not be stored in plain-text or with a fast hashing algorithm (#3715) 2024-03-18 17:37:51 +01:00			`==== Use secure password hashing algorithms`
Modify S5344: Re-arrange the folder for new languages (#3709) * Modify S5344: Re-arrange the folder for new languages * modify a file name typo * last tweaks * changed diff * reorg fixes * Apply suggestions from code review 2024-02-29 15:36:57 +01:00
Create rule S5344(python): Passwords should not be stored in plain-text or with a fast hashing algorithm (#3715) 2024-03-18 17:37:51 +01:00			`In general, you should rely on an algorithm that has no known security`
			`vulnerabilities. The MD5 and SHA-1 algorithms should not be used.`
Modify S5344: Re-arrange the folder for new languages (#3709) * Modify S5344: Re-arrange the folder for new languages * modify a file name typo * last tweaks * changed diff * reorg fixes * Apply suggestions from code review 2024-02-29 15:36:57 +01:00
Create rule S5344(python): Passwords should not be stored in plain-text or with a fast hashing algorithm (#3715) 2024-03-18 17:37:51 +01:00			`Some algorithms, such as the SHA family functions, are considered strong for`
			`some use cases, but are too fast in computation and therefore vulnerable to`
			`brute force attacks, especially with bruteforce-attack-oriented hardware.`
Modify S5344: Re-arrange the folder for new languages (#3709) * Modify S5344: Re-arrange the folder for new languages * modify a file name typo * last tweaks * changed diff * reorg fixes * Apply suggestions from code review 2024-02-29 15:36:57 +01:00
Create rule S5344(python): Passwords should not be stored in plain-text or with a fast hashing algorithm (#3715) 2024-03-18 17:37:51 +01:00			`To protect passwords, it is therefore important to choose modern, slow`
			`password-hashing algorithms. The following algorithms are, in order of strength,`
			`the most secure password hashing algorithms to date:`

			`. Argon2`
			`. scrypt`
			`. bcrypt`
			`. PBKDF2`

			`Argon2 should be the best choice, and others should be used when the previous`
			`one is not available. For systems that must use FIPS-140-certified algorithms,`
			`PBKDF2 should be used.`

			`Whenever possible, choose the strongest algorithm available. If the algorithm`
			`currently used by your system should be upgraded, OWASP documents possible`
			`upgrade methods here:`
			`https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes[Upgrading Legacy Hashes].`