MID-049: Secure Password Storage
Mitigation Tier: Foundational
Description
Passwords should be stored only in a non-reversible salted and hashed format that is calculated by a cryptographically strong hashing algorithm. Hashing algorithms are one-way algorithms that can turn data into a unique fixed-length string representation of that data. Since this algorithm is one-way, data that is hashed cannot be turned back into its cleartext form, meaning that threat actors who come across hashed passwords have to try to hash every password combination until they have a match.
Threat actors have been known to use pre-calculated lookup tables of hashed potential password values to accelerate the password guessing process. Salting can prevent this from happening by increasing the required size of the lookup tables to make this approach to guessing impractical. Salts are pieces of random data that are appended to the password before hashing and then are stored with the hashed password. What this does is make the password hash unique because the password is actually the password + the hashed data. Therefore, this password cannot be found in a hash lookup table, but the salted hash can still be calculated by the device within an acceptably short time bound.
IEC 62443 4-2 Mappings
- CR 1.5 - Authenticator management