2020-06-30 12:48:07 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
|
|
|
|
hashlib
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
import crypt
|
|
|
|
|
from hashlib import pbkdf2_hmac
|
|
|
|
|
|
|
|
|
|
hash = pbkdf2_hmac('sha256', password, b'D8VxSmTZt2E2YV454mkqAY5e', 100000) # Noncompliant: salt is hardcoded
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
crypt
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
hash = crypt.crypt(password) # Noncompliant: salt is not provided
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
hashlib
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
import crypt
|
|
|
|
|
from hashlib import pbkdf2_hmac
|
|
|
|
|
|
|
|
|
|
salt = os.urandom(32)
|
|
|
|
|
hash = pbkdf2_hmac('sha256', password, salt, 100000) # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
crypt
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
salt = crypt.mksalt(crypt.METHOD_SHA256)
|
|
|
|
|
hash = crypt.crypt(password, salt) # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
