Issue:

The password storage vulnerability is not fixed. Passwords are not being salted and hashed correctly.

Test 1:

Ensure the salts are being generated correctly. Consult Step 5 of the lesson, Generating Salts, for examples on how to properly create the salts. Your salts should be 64 hexadecimal characters long. Add a print statement to your register function to verify the salt is correct.

Test 2:

Ensure that the provided plaintext password is being salted and hashed correctly. The generated salt should be concatenated with the user-provided plaintext password. After concatenating, the resultant string should be hashed using the SHA-256 algorithm. For examples on hashing strings, see Step 5, entitled Remediation, from the Secure Password Storage: Part 1 lesson.

Test 3:

Ensure that the hash and salt are being stored in the database correctly during registration. The provided SQL INSERT statement needs to be modified to allow for the insertion of the generated salt. The hash should be stored in the user.password column. The salt should be stored in the user.salt column.

Similarly, data from these two columns needs to be retrieved in the login function in order to properly authenticate the user. The hash and salt can be retrieved for a particular using by adding a WHERE clause to the SELECT statement and filtering by the user.username field.

Did this answer your question?