Page 1058 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1058

passwords more frequently than regular users.

               Hash and salt passwords. Use protocols such as bcrypt and
               PBKDF2 to salt passwords and consider using an external pepper to

               further protect passwords. Combined with the use of strong
               passwords, salted and peppered passwords are extremely difficult to
               crack using rainbow tables or other methods.

               Use password masking. Ensure that applications never display
               passwords in clear text on any screen. Instead, mask the display of the
               password by displaying an alternate character such as an asterisk (*).
               This reduces shoulder surfing attempts, but users should be aware that

               an attacker might be able to learn the password by watching the user
               type the keys on the keyboard.

               Deploy multifactor authentication. Deploy multifactor
               authentication, such as using biometrics or token devices. When an
               organization uses multifactor authentication, attackers are not able to
               access a network if they discover just a password. Many online

               services, such as Google, now offer multifactor authentication as an
               additional measure of protection.

               Use account lockout controls. Account lockout controls help
               prevent online password attacks. They lock an account after the
               incorrect password is entered a predefined number of times. Account
               lockout controls typically use clipping levels that ignore some user
               errors but take action after reaching a threshold. For example, it’s

               common to allow a user to enter the incorrect password as many as
               five times before locking the account. For systems and services that
               don’t support account lockout controls, such as most File Transfer
               Protocol (FTP) servers, extensive logging along with an intrusion
               detection system can protect the server.




                          Account lockout controls help prevent an attacker from

                  guessing a password in an online account. However, this does not
                  prevent an attacker from using a password-cracking tool against a
                  stolen database file containing hashed passwords.
   1053   1054   1055   1056   1057   1058   1059   1060   1061   1062   1063