Changes between Version 2 and Version 3 of Ticket #34661


Ignore:
Timestamp:
Jun 16, 2023, 12:20:44 PM (18 months ago)
Author:
Fatih Erikli
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34661 – Description

    v2 v3  
    2525
    2626There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key.
     27
     28I am not sure, however this cause CWE-760 https://cwe.mitre.org/data/definitions/760.html, even though salt is not weak, but it is known, when a database is exposed.
     29
     30I think peppering passwords should be a default behavior of django.
Back to Top