Password Storage
Level: RequiredOWASP: ASVS 2.1.1CWE: CWE-916Updated: 2025-07-15
Hash passwords with a modernmemory-hard KDF and unique salt per credential.
Store passwords using a purpose-built password hashing algorithm such as Argon2id.
Requirements
- Use Argon2id (preferred) or scrypt/bcrypt with strong parameters.
- Unique, cryptographically random salt per password.
- Parameterize cost factors to meet target ~250ms on server hardware.
- Never store or log plaintext passwords.
Example (Node.js)
import argon2 from "argon2";
export async function hashPassword(pw: string) {
return argon2.hash(pw, {
type: argon2.argon2id,
timeCost: 3,
memoryCost: 65536,
parallelism: 1,
});
}
export async function verify(hash: string, pw: string) {
return argon2.verify(hash, pw);
}
Rotation
Support rehash-on-login when parameters upgrade.
References
- OWASP ASVS V2: Authentication
- NIST SP 800-63B
Tags
[Auth, Passwords, KDF]