Page 1042 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1042

risk, an organization may choose to rebuild the entire system from
               scratch.

               A strong password helps prevent password attacks. It is sufficiently

               long with a combination of character types. The phrase “sufficiently
               long” is a moving target and dependent on the usage and the
               environment. Chapter 13 discusses password policies, strong
               passwords, and the use of passphrases. The important point is that
               longer passwords are stronger than shorter passwords.

               While security professionals usually know what makes a strong
               password, many users do not, and it is common for users to create

               short passwords with only a single character type. The Ashley Madison
               data breach in 2015 helps illustrate this. Ashley Madison is an online
               dating service marketed to people who are married or in relationships,
               and its slogan is “Life is short. Have an affair.” Attackers released
               more than 60 GB of customer records, and an analysis of passwords

               showed that more than 120,000 users had a password of 123456.
               Other passwords in the top 10 included 12345, 1234567, 12345678,
               123456789, password, and abc123. Users were seeking to cheat on
               their spouses yet still using incredibly simple passwords.

               Passwords should not be stored in cleartext. Instead, they are typically
               hashed using a strong hashing function such as SHA-3, and the hash
               of the password is stored. When a user authenticates, the system

               hashes the provided password and typically sends the hash to an
               authentication server in an encrypted format. The authentication
               server decrypts the received hash and then compares it to the stored
               hash for the user. If the hashes match, the system authenticates the
               user.

               It’s important to use strong hashing functions when hashing
               passwords. Many password attacks succeed when organizations have

               used weak hashing functions, such as message digest 5 (MD5).



                             Most security professionals know they should never use

                  simple passwords, such as 123456. However, security professionals

                  sometimes forget that users still create these types of simple
   1037   1038   1039   1040   1041   1042   1043   1044   1045   1046   1047