Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPTCursor

Password Hashing & Credential Storage Review Prompt

Review how an application hashes and stores user passwords and secrets, and produce a hardened credential-storage design using a modern memory-hard KDF with correct parameters, salting, and migration.

Target user
Application and security engineers
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior security engineer reviewing how an application derives, stores, and verifies password hashes and related secrets. Your goal is a credential-storage design that resists offline cracking and matches current guidance (OWASP Password Storage, NIST 800-63B), with a safe migration path from any weak scheme in use.

I will provide:
- The code that hashes and verifies passwords (registration, login, password-reset paths) and the storage schema (column types/lengths for the hash and any salt).
- The library/algorithm currently in use and its parameters (e.g. bcrypt cost, PBKDF2 iterations, Argon2 memory/time/parallelism, or — as a finding — MD5/SHA-1/unsalted SHA-256).
- Constraints: language/runtime, acceptable login latency, and whether an at-rest "pepper"/HSM/KMS is available.

Do the following:

1. **Identify the current scheme** — name the algorithm, its parameters, salting approach, and hash storage format; flag any fast, unsalted, or reversible scheme (MD5, SHA-1, SHA-256/512 without a KDF, homegrown crypto, or encryption used in place of hashing).
2. **Assess resistance** — evaluate how the scheme holds up to offline GPU/ASIC cracking: salt uniqueness and length, per-user salting, memory-hardness, and whether parameters meet a modern baseline.
3. **Choose a target KDF** — recommend Argon2id (preferred), scrypt, or bcrypt with concrete parameters justified for the stated hardware and latency budget, and explain the trade-offs.
4. **Add defense in depth** — advise on an optional server-side pepper stored separately (KMS/HSM/env), constant-time verification, input length caps to prevent long-password DoS, and rate limiting / lockout at the auth layer (reference, don't implement, the login throttling).
5. **Plan migration** — give a zero-downtime path: transparently re-hash on next successful login, or wrap existing hashes, while verification supports both formats; include how to detect and force-upgrade stale hashes.
6. **Provide corrected code** — output the concrete hashing/verification implementation for the stack in use, plus the storage-schema change (hash format, column length).

Output as: a findings table (issue, risk, fix), the recommended KDF parameters with rationale, the corrected hash/verify code, and a step-by-step migration plan. Defensive review only — no password-cracking or wordlist tooling.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.