...
- Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
- Don't store sensitive data unnecessarily. Discard it as soon as possible. Data you don't have can't be stolen.
- Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
- Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
- Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
- Cryptography Storage Cheat Sheet
6.2 Providing Cryptographic Functionality
1 Secure Cryptographic Storage Design
...
Learn More:
- OWASP Cryptographic Storage Cheat Sheet
- OWASP Password Storage Cheat Sheet
- OWASP Transport Layer Protection Cheat Sheet
- OWASP Testing Guide: Chapter on SSL/TLS Testing
- CWE Entry 310 on Cryptographic Issues
- CWE Entry 312 onCleartextStorage of Sensitive Information
- CWE Entry 319 onCleartextTransmission of Sensitive Information
- CWE Entry 326 on Weak Encryption