Issue:

The password storage vulnerability is not fixed. Passwords are not being hashed by Argon2 correctly.

Test 1:

Ensure the Argon2 hashing function is being called correctly. See the Remediation step for specific code examples on how to call the function; ensure the arguments you are providing are the correct type. Verify that you are inserting the hash into the password column within the user table.

Test 2:

Register a new user and look at the User Registry tab. If you are calling the hashing function correctly, the password column should contain a hash that looks similar to this:

$argon2id$v=19$m=65536,t=3,p=4$...

Ensure the different parts that make up the hash string are the expected values:

  • Variation should be argon2id

  • Memory cost should be 65536

  • Time cost should be 3

If any of these values do not match what you see in the password column, examine your register function for bugs.

Did this answer your question?