Changes between Version 4 and Version 5 of Ticket #34661


Ignore:
Timestamp:
Jun 16, 2023, 12:22:52 PM (18 months ago)
Author:
Fatih Erikli
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34661 – Description

    v4 v5  
    2626There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key.
    2727
    28 I am not sure about the vulnerability enumeration, however this cause CWE-760 [0] even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password.
     28I am not sure about the vulnerability enumeration, however this cause CWE-760 even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password.
    2929
    3030I think peppering passwords should be a default behavior of django.
    31 
    32 [0] [https://cwe.mitre.org/data/definitions/760.html,]
Back to Top