Update Password_Storage_Cheat_Sheet.md

[jmanico]

Big update from Robert Thorton

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as TEXT
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #.

Thank you again for your contribution 😃

[szh]

I left some proofreading comments, but otherwise looks great! Thank you!

[kwwall]

@jmanico - Just an FYI, I am starting the requested code review today. Had been working on a PR for a new ESAPI release.

[kwwall]

@jmanico - Sorry I was late to this requested review. This is great work. The only minor comment that I would have is the paragraph under the "Peppering" section that states:

For example, one peppering strategy is hashing the passwords as usual (using a password hashing algorithm) and then using HMAC or encrypting the hashes with a symmetrical encryption key before storing the password hash in the database, with the key acting as the pepper.

I personally would recommend changing the part "then using HMAC or encrypting the hashes with a symmetrical encryption key" (should be "symmetric encryption key", not "symmetrical" BTW), to instead ONLY refer to using HMACs. I'd recommend revising it as something like this:

For example, one peppering strategy is hashing the passwords as usual (using a password hashing algorithm) and then using an  HMAC (e.g., HMAC-SHA256, HMAC-SHA512, depending on the desired output length) on the original password hash before storing the password hash in the database, with the pepper acting as the HMAC  key.

I recommend using an HMAC over symmetric encryption because there's just less to get wrong using HMACs than there is correctly implementing the encryption / decryption using a symmetric cipher.

Regardless of whether that change is made or not though, the last part of that paragraph, where it states:

... with the key acting as the pepper.

is incorrect. It should say

... with the pepper acting as the key.

Otherwise, looks good.