CompTIA PenTest+ (PT0-002) — Question 275

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code:

salt = 'saltl23'
hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000)

The penetration tester recommended the code be updated to the following:

salt = os.urandom(32)
hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000)

Which of the following steps should the penetration tester recommend?

Answer options

• A. Changing passwords that were created before this code update
• B. Storing hashes created by both methods for compatibility
• C. Rehashing all old passwords with the new code
• D. Updating the SHA-256 algorithm to something more secure

Correct answer: A

Explanation

The correct answer is A because passwords created before the code update should be changed to ensure they are secured with the new hashing strategy, which uses a random salt. Options B and C are incorrect as they suggest maintaining old hashes or rehashing, which does not address the immediate security concern. Option D is also incorrect since the SHA-256 algorithm is still considered secure for password hashing when used correctly.