Password Hashing & Credential Storage Review Prompt
Review how an application hashes and stores user passwords and secrets, and produce a hardened credential-storage design using a modern memory-hard KDF with correct parameters, salting, and migration.
- Target user
- Application and security engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior security engineer reviewing how an application derives, stores, and verifies password hashes and related secrets. Your goal is a credential-storage design that resists offline cracking and matches current guidance (OWASP Password Storage, NIST 800-63B), with a safe migration path from any weak scheme in use. I will provide: - The code that hashes and verifies passwords (registration, login, password-reset paths) and the storage schema (column types/lengths for the hash and any salt). - The library/algorithm currently in use and its parameters (e.g. bcrypt cost, PBKDF2 iterations, Argon2 memory/time/parallelism, or — as a finding — MD5/SHA-1/unsalted SHA-256). - Constraints: language/runtime, acceptable login latency, and whether an at-rest "pepper"/HSM/KMS is available. Do the following: 1. **Identify the current scheme** — name the algorithm, its parameters, salting approach, and hash storage format; flag any fast, unsalted, or reversible scheme (MD5, SHA-1, SHA-256/512 without a KDF, homegrown crypto, or encryption used in place of hashing). 2. **Assess resistance** — evaluate how the scheme holds up to offline GPU/ASIC cracking: salt uniqueness and length, per-user salting, memory-hardness, and whether parameters meet a modern baseline. 3. **Choose a target KDF** — recommend Argon2id (preferred), scrypt, or bcrypt with concrete parameters justified for the stated hardware and latency budget, and explain the trade-offs. 4. **Add defense in depth** — advise on an optional server-side pepper stored separately (KMS/HSM/env), constant-time verification, input length caps to prevent long-password DoS, and rate limiting / lockout at the auth layer (reference, don't implement, the login throttling). 5. **Plan migration** — give a zero-downtime path: transparently re-hash on next successful login, or wrap existing hashes, while verification supports both formats; include how to detect and force-upgrade stale hashes. 6. **Provide corrected code** — output the concrete hashing/verification implementation for the stack in use, plus the storage-schema change (hash format, column length). Output as: a findings table (issue, risk, fix), the recommended KDF parameters with rationale, the corrected hash/verify code, and a step-by-step migration plan. Defensive review only — no password-cracking or wordlist tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
-
WebAuthn & Passkey Authentication Hardening Review Prompt
Review a WebAuthn/FIDO2 passkey implementation for weak relying-party settings, missing attestation and user-verification checks, and replay/downgrade gaps, and produce a hardened registration and authentication ceremony.
-
Session Cookie Security Hardening Review Prompt
Review how a web application issues and manages session cookies and produce a hardened cookie policy covering Secure, HttpOnly, SameSite, scoping, lifetime, and session-fixation defenses.
-
TLS Cipher Suite & Protocol Downgrade Audit Prompt
Audit a service's TLS configuration for weak protocol versions, insecure cipher suites, and downgrade/forward-secrecy gaps, and produce a hardened, compatibility-aware cipher policy.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.