CISSP · Question #796
A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used
The correct answer is C. Use a hash function with a cost factor and a per-user random salt.. Storing passwords securely against offline attacks requires a slow, adaptive hashing algorithm with a per-user salt to make brute-force and dictionary attacks computationally expensive.
Question
A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?
Options
- AUse an encryption algorithm that is fast with a random per-user encryption key.
- BUse a hash function that is fast with a per-user random salt.
- CUse a hash function with a cost factor and a per-user random salt.
- DUse an encryption algorithm with a random master key.
How the community answered
(21 responses)- A14% (3)
- B5% (1)
- C76% (16)
- D5% (1)
Why each option
Storing passwords securely against offline attacks requires a slow, adaptive hashing algorithm with a per-user salt to make brute-force and dictionary attacks computationally expensive.
Encryption is reversible, meaning if the master or per-user key is compromised, all passwords are immediately exposed in plaintext, which does not provide adequate protection for stored credentials.
A fast hash function (such as MD5 or SHA-256) with a salt prevents rainbow table attacks but remains highly vulnerable to offline brute-force attacks because an attacker can compute billions of hashes per second with commodity hardware.
A hash function with a cost factor (such as bcrypt, scrypt, or Argon2) is specifically designed to be computationally slow and memory-intensive, making offline brute-force attacks extremely expensive even with modern hardware. The cost factor can be increased over time as hardware improves, maintaining resistance to attacks. The per-user random salt ensures that identical passwords produce different hashes, preventing rainbow table and batch-cracking attacks.
Encryption with a random master key is reversible and stores a single key that, if compromised, exposes all passwords simultaneously, providing no meaningful resistance to offline attacks once the key is obtained.
Concept tested: Secure password storage using adaptive hashing with salt
Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.