2.4.1 should be required for L1

[appills]

2.4.1

Application Security Verification Levels:

ASVS Level 1 is for low assurance levels, and is completely penetration testable.

Level 1 is the only level that is completely penetration testable using humans. All others require access to documentation, source code, configuration, and the people involved in the development process.

Insecure password storage or insecure credential handling can be tested by a human in at least one method, such as detecting non-timing-safe string comparisons. Secure password hashing is surely testable as a human from a black box and can be inferred to some extent based on response timing.

Using ASVS for Level 1 states:

An application achieves ASVS Level 1 if it adequately defends against application security vulnerabilities that are easy to discover, and included in the OWASP Top 10 and other similar checklists.

And insecure password hashing, storage, and non-timing-safe string comparisons surely fall under A02 Cryptographic Failures

[elarlang]

So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)

https://github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md#v24-credential-storage

This section cannot be penetration tested, so controls are not marked as L1. However, this section is of vital importance to the security of credentials if they are stolen, so if forking the ASVS for an architecture or coding guideline or source code review checklist, please place these controls back to L1 in your private version.

Requirement itself:

#	Description	L1	L2	L3	CWE	NIST §
2.4.1	[MODIFIED] Verify that one of the following password hashing functions is used when storing the user's password for the application: argon2id, scrypt, bcrypt or PBKDF2. (C6)		✓	✓	916	5.1.1.2

In general I agree it should be level 1, but based on level description for ASVS v4.0.* it is defined as level 2 and the reason is also described in the section.

So at the moment I see it as duplicate of #1495

[appills]

So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)

Hehe good point, I should've copied the text from the section (& probably read that it states to "Verify", which of course there's probably someone out there doing 100k md5's and that might be timing-indistinguishable)

@Sjord brings up a valid point in that #1495 thread:

For me, the levels relate to the security requirements of your application. If you are building a nuclear missile launch system, you would comply to L3. If you are building a tic-tac-toe website, you would comply to L1.

I'll continue my separate thought over there, thank you!

[elarlang]

I don't close it at the moment, just marked it as "level question". If we can declare the levels on one nice day, we need to recheck those issues as well.

[jmanico]

We made major changes to password storage in v6, please re-open this if you think I'm closing it prematurely,