Changes between Version 9 and Version 10 of Ticket #34661
- Timestamp:
- Jun 18, 2023, 5:20:16 PM (12 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34661 – Description
v9 v10 29 29 - to hash the already exposed passwords. 30 30 31 There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the knownpasswords, since they don't have the secret pepper key.31 There is one more element needed for hashing the password, **pepper**, should be project specific. When a database is exposed in public, the attacker will not be able to lookup the passwords, since they don't have the secret pepper key. 32 32 33 I am not sure about the vulnerability enumeration, however this cause CWE-760 even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password.33 I am not sure about the vulnerability enumeration, but CWE-760 seems closer. Salt is not weak, but it is known. The salt is stored next to the hashed password. 34 34 35 35 This is a case of when a database is stolen, however I think Django, by default, should do everything that could be done at the framework level to keep the user information secured.