ExamTopics Logo
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 425 discussion

Actual exam question from ISC's CISSP
Question #: 425
Topic #: 1
[All CISSP Questions]

A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?

  • A. Use an encryption algorithm that is fast with a random per-user encryption key.
  • B. Use a hash function that is fast with a per-user random salt.
  • C. Use a hash function with a cost factor and a per-user random salt.
  • D. Use an encryption algorithm with a random master key.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by [deleted] at April 5, 2023, 10:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
1460168
11 months ago
Selected Answer: C
An attacker has to invest a lot of hardware resources and time to crack the hashes. So I go with C.
upvoted 1 times
...
gjimenezf
1 year, 5 months ago
Selected Answer: C
cost factor increate time to hash to make mo difficult brute force attacks
upvoted 1 times
...
Soleandheel
1 year, 6 months ago
C. Use a hash function with a cost factor and a per-user random salt. Hashing with a cost factor: Using a hash function with a cost factor involves applying the hash function repeatedly (a configurable number of times) to slow down the hashing process. This makes it computationally expensive and time-consuming for attackers to perform offline brute-force or dictionary attacks. B. mentions using a hash function with a salt, which is a good practice, but it lacks the cost factor (also known as key stretching) that slows down the hashing process and makes offline attacks more difficult. Using a hash function with a cost factor and a per-user random salt, is the most appropriate and secure method for storing passwords to protect against offline attacks.
upvoted 2 times
...
DASH_v
2 years, 2 months ago
c. Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash.
upvoted 1 times
jackdryan
2 years, 1 month ago
C is correct
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel