2 cissp ® Official Study Guide Eighth Edition

Application Attacks 
933
such as “My son Richard likes to eat four pies” instead of a short password. If the system 
does not allow the use of long passphrases, consider using a mnemonic device such creat-
ing a password out of the fi rst letter of each word of a long phrase. For example, “My son 
Richard likes to eat four pies” would become MsRlte4p—an extremely strong password. 
You may also wish to consider providing users with a secure tool that allows for the storage 
of these strong passwords. Password Safe and LastPass are two commonly used examples. 
These tools allow users to create unique, strong passwords for each service they use without 
the burden of memorizing them all. 
One of the best ways to prevent password-based attacks is to supplement 
passwords with other authentication techniques. This approach, known as 
multifactor authentication, is discussed in Chapter 13.
One of the mistakes made by overzealous security administrators is to create a series 
of strong passwords and then assign them to users (who are then prevented from chang-
ing their password). At fi rst glance, this seems to be a sound security policy. However, the 
fi rst thing a user will do when they receive a password like 1mf0A8fl t is write it down on a 
sticky note and put it under their computer keyboard. Whoops! Security just went out the 
window (or under the keyboard)!
Application Attacks 
In Chapter 20, you learned about the importance of utilizing solid software engineering 
processes when developing operating systems and applications. In the following sections, 
you’ll take a brief look at some of the specifi c techniques attackers use to exploit vulner-
abilities left behind by sloppy coding practices. 

Download 19,3 Mb.

Do'stlaringiz bilan baham: