Bcrypt Hash

ID

bcrypt_hash

Severity

low

Vendor

-

Family

Password Hash

Description

Bcrypt is a password hashing function designed to be computationally intensive. It’s commonly used for securely storing passwords in databases.

Security

Storing a bcrypt password hash in a Source Code Management (SCM) system, such as Git, is generally not recommended, but it depends on the context. Here are some considerations to keep in mind:

  1. Security by Design: Ideally, sensitive information, such as password hashes, should be kept out of source code repositories. SCM systems are designed for tracking changes in code, not for securely storing sensitive data.

  2. Access Control: If the repository is private and access is tightly controlled, the risk is somewhat reduced. However, even private repositories can be compromised, and anyone with access can potentially misuse the hashed passwords.

  3. Hashing Specifically: Bcrypt is a robust hashing algorithm that offers protection against brute-force attacks. Having bcrypt hashes in a repository is definitely better than storing plaintext passwords. Nonetheless, if an attacker gains access to the hashes, they could potentially launch time-consuming brute-force attacks, especially if the passwords were weak.

  4. Risk of Leak: Storing hashes in an SCM system increases the risk of leaks. A compromised repository, a mistaken push to a public repo, or a third-party with unauthorized access can lead to unintentional leakage of these hashes.

Examples

INSERT INTO `users` (`user_id`, `username`, `password`) VALUES
(1, 'john', '$2a$12$QyxcUUBc6VstEp3MP8FI1ugNCGx0/8uo9LkkgNFUaxx77AUnBiMyO');

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  2. Use environment variables or secure vault systems to manage configurations that include sensitive data.

  3. Consider using secrets management tools that integrate with your deployment pipeline to inject credentials securely.

  4. Regularly audit who has access to your SCM system and enforce strong authentication mechanisms like two-factor authentication.

In conclusion, while bcrypt provides strong hashing, it’s generally best to manage sensitive information such as password hashes outside of your SCM system and use dedicated secure storage solutions where possible.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference