2 cissp ® Official Study Guide Eighth Edition

Comparing Identification and Authentication 
589
passwords are the weakest form of authentication. Passwords are weak security mecha-
nisms for several reasons:
■
Users often choose passwords that are easy to remember and therefore easy to guess or 
crack.
■
Randomly generated passwords are hard to remember; thus, many users write them 
down.
■
Users often share their passwords, or forget them.
■
Attackers detect passwords through many means, including observation, sniffing net-
works, and stealing security databases.
■
Passwords are sometimes transmitted in clear text or with easily broken encryption 
protocols. Attackers can capture these passwords with network sniffers.
■
Password databases are sometimes stored in publicly accessible online locations.
■
Brute-force attacks can quickly discover weak passwords.
Password Storage
Passwords are rarely stored in plaintext. Instead, a system will create a hash of a pass-
word using a hashing algorithm such as Secure Hash Algorithm 3 (SHA-3). The hash is 
a number, and the algorithm will always create the same number if the password is the 
same. Systems store the hash, but they don’t store the password. When a user authenti-
cates, the system hashes the supplied password and matches it with the stored password 
hash. If they are the same, the system authenticates the user.
Many systems use more sophisticated hashing functions such as Password-Based Key 
Derivation Function 2 (PBKDF2) or bcrypt to add bits to the password before hashing 
it. These additional bits are referred to as a 
salt
, and salting helps thwart rainbow table 
attacks. Legacy hashing functions such as message digest 5 (MD5) have vulnerabilities 
and should not be used to hash passwords.

Download 19,3 Mb.

Do'stlaringiz bilan baham: