Merge branch 'main' into audit-suites

GeekMasher · web-flow · commit 2038bef0f5e7 · 2024-01-09T09:48:19.000Z
diff --git a/csharp/src/security/CWE-328/WeakPasswordHashing.qhelp b/csharp/src/security/CWE-328/WeakPasswordHashing.qhelp
@@ -4,8 +4,7 @@
 <qhelp>
     <overview>
         <p>
-            Using a insufficiently computationally hard hash function can leave data
-            vulnerable, and should not be used for password hashing.
+            Hash functions that are not sufficiently computationally hard can leave data vulnerable. You should not use such functions for password hashing.
         </p>
 
         <p>
@@ -30,18 +29,18 @@
         </ul>
 
         <p>
-            All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not computationally hard.
+            All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not sufficiently computationally hard. This includes SHA-224, SHA-256, SHA-384 and SHA-512, which are in the SHA-2 family.
         </p>
 
         <p>
-            Password hashing algorithms are designed to be slow and/or memory intenstive to compute, which makes brute force attacks more difficult.
+            Password hashing algorithms should be slow and/or memory intensive to compute, to make brute force attacks more difficult.
         </p>
 
     </overview>
     <recommendation>
 
         <p>
-            Ensure that for password storage you should use a computationally hard cryptographic hash function, such as:
+            For password storage, you should use a sufficiently computationally hard cryptographic hash function, such as one of the following:
         </p>
 
         <ul>
@@ -51,7 +50,9 @@
             <li>
                 scrypt
             </li>
+            <li>
                 bcrypt
+            </li>
             <li>
                 PBKDF2
             </li>
@@ -61,7 +62,7 @@
     <example>
 
         <p>
-            The following examples show a function that hashes a password using a cryptographic hashing algorithm.
+            The following examples show two versions of the same function. In both cases, a password is hashed using a cryptographic hashing algorithm.
 
             In the first case the SHA-512 hashing algorithm is used. It is vulnerable to offline brute force attacks:
         </p>
