Skip to content
This repository has been archived by the owner on Jun 16, 2022. It is now read-only.

Password salting #151

Open
6 tasks
ARMmaster17 opened this issue Feb 21, 2022 · 0 comments
Open
6 tasks

Password salting #151

ARMmaster17 opened this issue Feb 21, 2022 · 0 comments
Labels
Backend Changes are expected to be made to the service, repository, or controller level of Java source files blocked This issue is blocked by a pending PR or another issue that must be resolved first. DevOps Changes are expected to be made to IaaS manifests or low-level Java configuration bindings. enhancement New feature or request
Milestone
Sprint 4

Comments

@ARMmaster17
Copy link
Member

ARMmaster17 commented Feb 21, 2022
edited
Loading

Summary

In production, passwords should be salted (+peppered) in addition to the existing hashing algorithm. The salt can be hardcoded through an environment variable in the dev stack and when testing, but in production the salt should come from an environment variable separate from our IaaS manifests.

Salting is a strong recommendation by the NIST, which serves as the foundation for the regulations associated with HIPAA. Applying peppering to passwords is also considered a good practice by the NIST.

Implementation

  • In AuthenticationService salt a new user's password based on the environment salt.
  • In AuthenticationService pass through several fields from the UserDTO and use an environment variable to select which field will be used as the pepper.
  • Implement salt and pepper mechanisms above in the login logic in SecurityConfig.java.
  • (OPTIONAL) If user accounts already exist on production, either delete them or force a password reset.
  • Create SECURITY_SALT environment variable on Heroku, GHA, and dev-stack.
  • Write unit tests to verify that the new hashing algorithm is non-deterministic and idempotent (i.e. the algorithm will always return the same hard-coded result if the same password, salt, UserDTO, and "pepper field" are passed in).
@ARMmaster17 ARMmaster17 added enhancement New feature or request Backend Changes are expected to be made to the service, repository, or controller level of Java source files labels Feb 21, 2022
@ARMmaster17 ARMmaster17 added this to the Sprint 2 milestone Feb 21, 2022
@ARMmaster17 ARMmaster17 moved this to Committed in Kanban Board Feb 21, 2022
@ARMmaster17 ARMmaster17 modified the milestones: Sprint 2, Sprint 3 Mar 14, 2022
@ARMmaster17 ARMmaster17 added the blocked This issue is blocked by a pending PR or another issue that must be resolved first. label Mar 14, 2022
@ARMmaster17 ARMmaster17 added the DevOps Changes are expected to be made to IaaS manifests or low-level Java configuration bindings. label Mar 29, 2022
@ARMmaster17 ARMmaster17 modified the milestones: Sprint 3, Sprint 4 Apr 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Backend Changes are expected to be made to the service, repository, or controller level of Java source files blocked This issue is blocked by a pending PR or another issue that must be resolved first. DevOps Changes are expected to be made to IaaS manifests or low-level Java configuration bindings. enhancement New feature or request
Projects
Kanban Board
Status: Committed
Milestone
Sprint 4
Development

No branches or pull requests
1 participant
@ARMmaster17