Skip to content

csharp: Update WeakPasswordHashing.qhelp #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 8, 2024
Merged

csharp: Update WeakPasswordHashing.qhelp #37

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions csharp/src/security/CWE-328/WeakPasswordHashing.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@
<qhelp>
<overview>
<p>
Using a insufficiently computationally hard hash function can leave data
vulnerable, and should not be used for password hashing.
Hash functions that are not sufficiently computationally hard can leave data vulnerable. You should not use such functions for password hashing.
</p>

<p>
Expand All @@ -30,18 +29,18 @@
</ul>

<p>
All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not computationally hard.
All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not sufficiently computationally hard. This includes SHA-224, SHA-256, SHA-384 and SHA-512, which are in the SHA-2 family.
</p>

<p>
Password hashing algorithms are designed to be slow and/or memory intenstive to compute, which makes brute force attacks more difficult.
Password hashing algorithms should be slow and/or memory intensive to compute, to make brute force attacks more difficult.
</p>

</overview>
<recommendation>

<p>
Ensure that for password storage you should use a computationally hard cryptographic hash function, such as:
For password storage, you should use a sufficiently computationally hard cryptographic hash function, such as one of the following:
</p>

<ul>
Expand All @@ -51,7 +50,9 @@
<li>
scrypt
</li>
<li>
bcrypt
</li>
<li>
PBKDF2
</li>
Expand All @@ -61,7 +62,7 @@
<example>

<p>
The following examples show a function that hashes a password using a cryptographic hashing algorithm.
The following examples show two versions of the same function. In both cases, a password is hashed using a cryptographic hashing algorithm.

In the first case the SHA-512 hashing algorithm is used. It is vulnerable to offline brute force attacks:
</p>
Expand Down