Security:ClearTextPasswords: Difference between revisions

From queowiki
← Older editNewer edit →
No edit summary
No edit summary
Line 11: Line 11:
You may have guessed it already: an one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too. <br> So if you're service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)
You may have guessed it already: an one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too. <br> So if you're service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)


Did you know that there's a so called:
Furthermore, did you know that there's a so called:
=== Code of ethics ===
=== Code of ethics ===
https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics <br>
https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics <br>
"Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden." <br>
"Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden." <br>
Of course therefore you should either be a CISSP or know somebody who is a CISSP. <br>
Of course therefore you should either be a CISSP or know somebody who is a CISSP. <br>
In my case I know some of my former colleagues who are having a valid CISSP certification.
In my case I know some of my former fellow students who are having a valid CISSP certification.


== Books ==
== Books ==

Revision as of 08:21, 14 August 2020

This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a NO-GO regardless what's in some "specification sheet" or other service provider agreements ;-)

CISSP

Well, it's one of the CISSP questions, but let's have a closer look:

  • What is the BEST method of storing passwords for a system:
    • password-protected file
    • file restricted to one individual
    • one-way encrypted file
    • two-way encrypted file

You may have guessed it already: an one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too.
So if you're service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)

Furthermore, did you know that there's a so called:

Code of ethics

https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics
"Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden."
Of course therefore you should either be a CISSP or know somebody who is a CISSP.
In my case I know some of my former fellow students who are having a valid CISSP certification.

Books

Computer Security Basics
Rick Lehtinen, Deborah Russel & G.T. Gangemi Sr. ; Released June 2006 ; ISBN-13: 978-0596006693
Page 65-66

CWE

https://cwe.mitre.org/data/definitions/256.html

Retrieved from "https://quehenberger.org/queowiki/index.php?title=Security:ClearTextPasswords&oldid=92"