Password Hashing and Encryption

The following list includes mitigation strategies you will want to present to your clients concerning secure password storage and transmission:

• Don't allow developers to hard-code credentials in apps.
• Hash stored passwords rather than storing them in plaintext.
• Use cryptographically strong hash functions, like SHA-256 and bcrypt.
• Avoid cryptographically weak hash functions, like MD5 and SHA-1.
• Use network access protocols that encrypt passwords in transit.
• For example, use SSH instead of Telnet, HTTPS instead of HTTP, FTPS instead of FTP, etc.
• Ensure network access protocols are using strong ciphers, like AES-256 and RC6.
• Avoid using network access protocols that incorporate weak cryptographic ciphers, like DES and 3DES.
• Disallow or reconfigure services that allow themselves to be negotiated down to a weaker cryptographic or protocol version.
• Ensure security solutions like IDS and data loss prevention (DLP) can monitor and manage unencrypted traffic in the network.