Changes between Version 9 and Version 10 of Ticket #34661


Ignore:
Timestamp:
Jun 18, 2023, 5:20:16 PM (18 months ago)
Author:
Fatih Erikli
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34661 – Description

    v9 v10  
    2929- to hash the already exposed passwords.
    3030
    31 There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key.
     31There is one more element needed for hashing the password, **pepper**, should be project specific. When a database is exposed in public, the attacker will not be able to lookup the passwords, since they don't have the secret pepper key.
    3232
    33 I am not sure about the vulnerability enumeration, however this cause CWE-760 even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password.
     33I am not sure about the vulnerability enumeration, but CWE-760 seems closer. Salt is not weak, but it is known. The salt is stored next to the hashed password.
    3434
    3535This is a case of when a database is stolen, however I think Django, by default, should do everything that could be done at the framework level to keep the user information secured.
Back to Top