SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 156

changes.mady.by.user Robert Schiela

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

...

A good practice is to always use a salt in addition to the password being hashed. A salt is a unique randomly generated piece of data that is stored and used to generate the hash value along with the password. Each password should have its own salt associated with it. If a single salt were used for more than one password an attacker could determine when a user has a commonly used password. Password specific salts are usually stored along with their corresponding hash values.  SystemIn addition to password-unique salts, system-unique salts that are stored separately from the hash values may also be used to increase the difficulty of deriving passwords if a malicious actor obtains a copy of the hash values and salts.

...

Applications such as password managers may need to retrieve the original password to enter it into a third-party application. This is permitted even though it violates this guideline. The password manager is accessed by a single user and always has the user's permission to store his or her passwords and to display those passwords on command. Consequently, the limiting factor to safety and security is the user's competence rather than the program's operation.

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.MSC62.PCCF
CERT.MSC62.PWDPROP
CERT.MSC62.PWDXML
CERT.MSC62.WCPWD
CERT.MSC62.WPWD
CERT.MSC62.PLAIN
CERT.MSC62.PTPT
CERT.MSC62.UTAX
Avoid storing usernames and passwords in plain text in Castor 'jdo-conf.xml' files
Ensure that passwords are not stored as plaintext and are sufficiently long
Ensure that passwords are not stored as plaintext and are sufficiently long
Avoid unencrypted passwords in WebSphere 'ibm-webservicesclient-ext.xmi' files
Avoid unencrypted passwords in WebSphere 'ibm-webservices-ext.xmi' files
Password information should not be included in properties file in plaintext
Avoid using plain text passwords in Axis 'wsdd' files
Avoid using plain text passwords in Axis2 configuration files

Bibliography

[API 2013]

Class String
Package javax.crypto

[Hirondelle 2013]Passwords Never Clear in Text
[OWASP 2012]"Why Add Salt?"
[Paar 2010]Chapter 11, "Hash Functions"

[ASVS 2019]


OWASP ASVS
[NIST 2017]NIST 800-63

...