Clarify password hashing rationale and algorithm selection#1993
Open
Angelmendiratta wants to merge 4 commits intoOWASP:masterfrom
Open
Clarify password hashing rationale and algorithm selection#1993Angelmendiratta wants to merge 4 commits intoOWASP:masterfrom
Angelmendiratta wants to merge 4 commits intoOWASP:masterfrom
Conversation
Angelmendiratta
requested review from
jmanico,
kwwall,
mackowski and
szh
as code owners
jmanico
reviewed
Feb 3, 2026
|
|
||
| Three hashing algorithms that should be considered: | ||
|
|
||
| When selecting a password hashing algorithm, developers should prefer modern algorithms that are designed to resist both GPU-based and memory-based attacks. |
Member
There was a problem hiding this comment.
Please put this ABOVE the "three hashing" phrase
| Three hashing algorithms that should be considered: | ||
|
|
||
| When selecting a password hashing algorithm, developers should prefer modern algorithms that are designed to resist both GPU-based and memory-based attacks. | ||
| Where available, newer algorithms should be chosen for new applications, while older algorithms may still be acceptable for legacy systems with appropriate configuration. |
Member
There was a problem hiding this comment.
Please put this ABOVE the "three hashing" phrase
Author
There was a problem hiding this comment.
Thanks for the review! I’ve reordered the text as suggested.
Author
|
I’ve addressed the review feedback and verified that "npm run lint-markdow" passes locally. |
jmanico
reviewed
Feb 4, 2026
| Since **encryption is a two-way function**, attackers can retrieve the original plaintext from the encrypted data. It can be used to store data such as a user's address since this data is displayed in plaintext on the user's profile. Hashing their address would result in a garbled mess. | ||
|
|
||
| The only time encryption should be used in passwords is in edge cases where it is necessary to obtain the original plaintext password. This might be necessary if the application needs to use the password to authenticate with another system that does not support a modern way to programmatically grant access, such as OpenID Connect (OIDC). Wherever possible, an alternative architecture should be used to avoid the need to store passwords in an encrypted form. | ||
| The only time encryption should be used in passwords is in edge cases where it is necessary to obtain the original plaintext password. This might be necessary if the application needs to use the password to authenticate with another system that does not support a modern way to programmatically grant access, such as OpenID Connect (OIDC). Wherever possible, an alternative architecture should be used to avoid the need to store passwords in an encrypted form. |
Member
There was a problem hiding this comment.
Change to:
The only time encryption alone should be used in passwords
jmanico
approved these changes
Feb 4, 2026
jmanico
approved these changes
Feb 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR improves clarity in the Password Storage Cheat Sheet by explaining why password hashing must be slow, clarifying how to choose between recommended algorithms, and simplifying the explanation of configuration parameters.
Scope: