|
|
| (5 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a '''''NO-GO''''' regardless what's in some "specification sheet" or other service provider agreements ;-)
| | Site re-work in progress... |
| | |
| == CISSP ==
| |
| Well, it's one of the CISSP questions, but let's have a closer look: <br>
| |
| * What is the BEST method of storing passwords for a system:
| |
| ** password-protected file
| |
| ** file restricted to one individual
| |
| ** one-way encrypted file
| |
| ** two-way encrypted file
| |
| | |
| You may have guessed it already: an one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too. <br> So if you're service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)
| |
| | |
| Furthermore, did you know that there's a so called:
| |
| === Code of ethics ===
| |
| https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics <br>
| |
| "Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden." <br>
| |
| Of course therefore you should either be a CISSP or know somebody who is a CISSP. <br>
| |
| In my case I know some of my former fellow students who are having a valid CISSP certification.
| |
| | |
| == Book(s) ==
| |
| Computer Security '''''Basics''''' <br> Rick Lehtinen, Deborah Russel & G.T. Gangemi Sr. ; Released '''''June 2006''''' ; ISBN-13: 978-0596006693 <br> Page 65-66
| |
| | |
| == CWE(s) ==
| |
| https://cwe.mitre.org/data/definitions/256.html
| |
| | |
| == Background ==
| |
| Why I'm writing this article?
| |
| Because I got the credentials for accessing the account from my former personal hosting provider in clear text :-(
| |
Site re-work in progress...