Update A02_2021-Cryptographic_Failures.md

- How to prevent: added key usage and protection
- Scenario #3: file downloas flaw instead of file upload flaw

2021/docs/A02_2021-Cryptographic_Failures.md

@@ -84,7 +84,10 @@ Do the following, at a minimum, and consult the references:
 -   Make sure to encrypt all sensitive data at rest.
 
 -   Ensure up-to-date and strong standard algorithms, protocols, and
-    keys are in place; use proper key management.
+    keys are in place; use keys only for one service (e.g. *not* https *and* smtps),
+    restrict the domain of key usage; manage or host your keys as organisation, at
+    least for information with the highest protection needs; protect all keys against
+    unauthorized access and export; use proper key management.
 
 -   Encrypt all data in transit with secure protocols such as TLS with
     perfect forward secrecy (PFS) ciphers, cipher prioritization by the
@@ -142,7 +145,7 @@ above they could alter all transported data, e.g., the recipient of a
 money transfer.
 
 **Scenario #3**: The password database uses unsalted or simple hashes to
-store everyone's passwords. A file upload flaw allows an attacker to
+store everyone's passwords. A file download flaw allows an attacker to
 retrieve the password database. All the unsalted hashes can be exposed
 with a rainbow table of pre-calculated hashes. Hashes generated by
 simple or fast hash functions may be cracked by GPUs, even if they were