Security:ClearTextPasswords: Difference between revisions
No edit summary |
mNo edit summary |
||
| Line 1: | Line 1: | ||
This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a ''''' | This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a '''''NoGo''''' no matter what's in some "specification sheet" or other service provider agreements ;-) | ||
== CISSP == | == CISSP == | ||
| Line 9: | Line 9: | ||
** two-way encrypted file | ** two-way encrypted file | ||
You may have guessed it | You may have already guessed it: a one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too. <br> So if your service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-) | ||
Furthermore, did you know that there's a so called: | Furthermore, did you know that there's a so called: | ||
| Line 15: | Line 15: | ||
ISC: https://www.isc2.org/Ethics# <br> | ISC: https://www.isc2.org/Ethics# <br> | ||
or the following | or the following resource in the German Wikipedia: <br> | ||
https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics <br> | https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics <br> | ||
"Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden." <br><br> | "Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden." <br><br> | ||
| Line 28: | Line 28: | ||
== Background == | == Background == | ||
Why I | Why am I writing this article? | ||
Because I got the credentials for accessing the account from my former personal hosting provider in clear text :-( | Because I got the credentials for accessing the account from my former personal hosting provider in clear text :-( | ||
Revision as of 16:11, 14 August 2020
This is a draft, the resources below clearly tell that clear text passwords in digital information systems are a NoGo no matter what's in some "specification sheet" or other service provider agreements ;-)
CISSP
Well, it's one of the CISSP questions, but let's have a closer look:
- What is the BEST method of storing passwords for a system:
- password-protected file
- file restricted to one individual
- one-way encrypted file
- two-way encrypted file
You may have already guessed it: a one-way encrypted file is the correct answer. Of course there are other options so an encrypted password in the credential file works out well, too.
So if your service provider keeps telling you that clear text passwords (credentials) don't matter at all, that's a killer argument ;-)
Furthermore, did you know that there's a so called:
Code of ethics
ISC: https://www.isc2.org/Ethics#
or the following resource in the German Wikipedia:
https://de.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Code_of_Ethics
"Handelt ein CISSP nicht nach diesen Grundsätzen, kann er jederzeit durch einen anderen CISSP bei der (ISC)² gemeldet werden."
Of course therefore you should either be a CISSP or know somebody who is a CISSP.
In my case I know some of my former fellow students who are having a valid CISSP certification.
Book(s)
Computer Security Basics
Rick Lehtinen, Deborah Russel & G.T. Gangemi Sr. ; Released June 2006 ; ISBN-13: 978-0596006693
Page 65-66
CWE(s)
https://cwe.mitre.org/data/definitions/256.html
Background
Why am I writing this article? Because I got the credentials for accessing the account from my former personal hosting provider in clear text :-(