|
|
| Line 1: |
Line 1: |
| This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a '''''NoGo''''' no matter what's in some "specification sheet" or other service provider agreements ;-)
| | Site re-work in progress... |
| | |
| == CISSP ==
| |
| Well, it's one of the CISSP questions, but let's have a closer look:
| |
| * What is the BEST method of storing passwords for a system:
| |
| ** password-protected file
| |
| ** file restricted to one individual
| |
| ** one-way encrypted file
| |
| ** two-way encrypted file
| |
| | |
| You may have already guessed it: a one-way encrypted file is the correct answer.
| |
| | |
| Of course there are other options so an encrypted password in the credential file works out well, too.
| |
| So if your service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)
| |
| | |
| Furthermore, did you know that there's a so called:
| |
| === Code of ethics ===
| |
| '''(ISC)²'''
| |
| : https://www.isc2.org/Ethics#
| |
| : or the following resource in the
| |
| '''German Wikipedia'''
| |
| : https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics
| |
| : "Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden."
| |
| : ''' Next steps'''
| |
| : Of course therefore you should either be a CISSP or know somebody who is a CISSP.
| |
| : In my case I know some of my former fellow students who are having a valid CISSP certification.
| |
| | |
| == Book(s) ==
| |
| Computer Security '''''Basics'''''
| |
| : Rick Lehtinen, Deborah Russel & G.T. Gangemi Sr. ; Released '''''June 2006''''' ; ISBN-13: 978-0596006693
| |
| : Page 65-66
| |
| You can imagine, there's an endless list of books which are telling us the same story ;-)
| |
| | |
| == CWE(s) ==
| |
| https://cwe.mitre.org/data/definitions/256.html
| |
| | |
| == Background ==
| |
| Why am I writing this article?
| |
| Because I got the credentials for accessing the account from my former personal hosting provider in clear text :-(
| |
Site re-work in progress...