Changes between Version 3 and Version 4 of Ticket #34661
- Timestamp:
- Jun 16, 2023, 12:22:29 PM (12 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34661 – Description
v3 v4 26 26 There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key. 27 27 28 I am not sure , however this cause CWE-760 https://cwe.mitre.org/data/definitions/760.html, even though salt is not weak, but it is known, when a database is exposed.28 I am not sure about the vulnerability enumeration, however this cause CWE-760 [0] even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password. 29 29 30 30 I think peppering passwords should be a default behavior of django. 31 32 [0] [https://cwe.mitre.org/data/definitions/760.html,]