password hashing

Overview

Hashing is a way to store passwords that cannot be read so that they can be used to access the system. By using random salt added to the password during hashing, the hashed password cannot be checked against a list of pre-hashed passwords. Hashing itself is related to encryption, but is a one way function. An entered password can be hashed and compared to the stored hashed password and if they match, authentication is confirmed.

Why are they asking this?

Failure to properly hash passwords means if the password file or table is stolen, it can be compared to a precomputed list to find passwords for users.

What do they expect?

It is expected that all passwords are hashed with a random salt before they are stored in a password file or table.

When passwords are at rest, does your company ensure that passwords are always stored encrypted and/or as one-way hash values?
Are passwords stored in a one-way hash format?
Does your password policy require passwords to be encrypted or hashed in storage?
Are passwords hashed using a Key Derivation Function (PBKDF2, Scrypt, Bcrypt)?
Does your application ‘salt’ passwords when encrypting/hashing?
Does your password policy require passwords to be hashed using a Key Derivation Function (PBKDF2, Scrypt, BALLOON) and a 32-bit random salt?