Describe the bug
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including insecure hashing of authentication credentials. Our analyzer identified that the set_password function of BikenWeb/biken
/models.py is using an unsafe hashing function (SHA-256) to store users' passwords. This practice might leave your application vulnerable to offline bruteforcing attacks.
Can you take a look into the relevant code parts and comment on the issue?
To Reproduce
Upon data breach, an attacker with access to the password database can perform offline bruteforcing to reconstruct valid users' passwords, possibly reused at other services. This can be avoided by using more secure hashing algorithms.
Expected behavior
Please follow the OWASP recommendations for secure password hashing to avoid the issue: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Describe the bug
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including insecure hashing of authentication credentials. Our analyzer identified that the set_password function of BikenWeb/biken
/models.py is using an unsafe hashing function (SHA-256) to store users' passwords. This practice might leave your application vulnerable to offline bruteforcing attacks.
Can you take a look into the relevant code parts and comment on the issue?
To Reproduce
Upon data breach, an attacker with access to the password database can perform offline bruteforcing to reconstruct valid users' passwords, possibly reused at other services. This can be avoided by using more secure hashing algorithms.
Expected behavior
Please follow the OWASP recommendations for secure password hashing to avoid the issue: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html