Medium Impact
Encrypting passwords is an insecure method of storing passwords. By storing the key to these passwords, WORKTERRA has direct access to user passwords. If a malicious user with elevated access or a malicious employee wanted to view user passwords, that individual could do so by using the encryption key to decrypt passwords. The ability to decrypt passwords adds significant risk to the users of WORKTERRA's application in the event of a data compromise.
Verification and Attack Information
Praetorian confirmed that passwords were encrypted using AES-256 through an interview with the application’s developers.
Recommendation
Use a Password Based Key Derivation Function (PBKDF) to store hashes of passwords as an alternative to storing in encrypted passwords. Praetorian recommends using one of the following algorithms (in order of preference): Scrypt, Bcrypt, or PBKDF2.
References
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
http://codahale.com/how-to-safely-store-a-password/
