Certified Information Systems Security Professional (CISSP) — Question 212

A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?

Answer options

• A. Use an encryption algorithm that is fast with a random per-user encryption key.
• B. Use a hash function that is fast with a per-user random salt.
• C. Use a hash function with a cost factor and a per-user random salt.
• D. Use an encryption algorithm with a random master key.

Correct answer: C

Explanation

The correct answer is C because using a hash function with a cost factor and a per-user random salt makes it significantly harder for attackers to crack the passwords through offline methods. Options A and B suggest using fast algorithms that may not provide sufficient security, while option D involves encryption, which is not ideal for password storage.