...
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' users’ identities.
A.2.1. Consider implementing ESAPI Authenticator and User API
...
A 2.2.4 Secure Password Storage:
- Don't Don’t store plaintext passwords
- Store password in hashes using an algorithm without known weakness like SHA-256 or higher such as Java Symplified Encryption (Jasypt). This library has a StrongPasswordEncryptor class that automatically performs 100000 iterations of the SHA-256 algorithm along with a random 16 byte salt value. In addition, Jasypt provides the ability to encrypt values in property files using password-based encryption (PBE).
- Use a salt to mitigate rainbow table attacks
- Use a technique to slow down hashing speed
...