Page 964 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 964

Passwords are rarely stored in plaintext. Instead, a system will
                  create a hash of a password using a hashing algorithm such as

                  Secure Hash Algorithm 3 (SHA-3). The hash is a number, and the
                  algorithm will always create the same number if the password is
                  the same. Systems store the hash, but they don’t store the
                  password. When a user authenticates, the system hashes the
                  supplied password and matches it with the stored password hash.
                  If they are the same, the system authenticates the user.


                  Many systems use more sophisticated hashing functions such as
                  Password-Based Key Derivation Function 2 (PBKDF2) or bcrypt to
                  add bits to the password before hashing it. These additional bits
                  are referred to as a salt, and salting helps thwart rainbow table
                  attacks. Legacy hashing functions such as message digest 5 (MD5)
                  have vulnerabilities and should not be used to hash passwords.




               Creating Strong Passwords

               Passwords are most effective when users create strong passwords. A
               strong password is sufficiently long and uses multiple character types

               such as uppercase letters, lowercase letters, numbers, and special
               characters. Organizations often include a written password policy in
               the overall security policy. IT security professionals then enforce the
               policy with technical controls such as a technical password policy that
               enforces the password restriction requirements. The following list
               includes some common password policy settings:

               Maximum Age This setting requires users to change their password

               periodically, such as every 45 days.

               Password Complexity The complexity of a password refers to how
               many character types it includes. An eight-character password using
               uppercase characters, lowercase characters, symbols, and numbers is
               much stronger than an eight-character password using only numbers.
               National Institute of Standards and Technology (NIST) special
               publication (SP) 800-63B, “Digital Identity Guidelines,” states that

               authentication systems should support the use of any printable
               American Standard Code for Information Interchange (ASCII)
               characters and the space character.
   959   960   961   962   963   964   965   966   967   968   969