Application Security · Flashcard

How should an application store user passwords?

  • AA strong, iterative, salted hash such as bcrypt or PBKDF2 — with a per-user random salt
  • BA single pass of a fast hash like SHA-256 — applied directly to the raw user password
  • CSymmetric encryption with a server-side key — so the passwords can be decrypted if needed
  • DA hash using one shared application-wide salt — appended to every user's password value

Why this is the answer

A slow, per-user-salted KDF makes cracking and rainbow tables infeasible (CWE-916) — a single fast SHA-256 is mass-crackable on GPUs, reversible encryption means a key leak exposes every password, and one shared salt lets identical passwords be attacked together.

Official docs
Study in Gnoseed →