There is a requirement to securely store unique usernames and passwords.
Given a valid username, it is also required to validate that the password provided is correct.
Which action accomplishes this task?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The most common approach to securely store passwords is to hash them. Hashing is a one-way encryption technique that converts plaintext (the password in this case) into a fixed-length string of characters that cannot be reversed. When a user creates or changes their password, the system hashes it and stores the resulting hash value in a database.
However, just hashing the password is not sufficient. If an attacker gains access to the database, they can still use a technique called a "dictionary attack" to try different password combinations until they find one that generates the same hash value as the stored password.
To prevent this, a salt is usually added to the password before hashing it. A salt is a random string of characters that is appended to the password before it is hashed. This makes it much more difficult for an attacker to crack the hash by trying all possible combinations of passwords.
Given the requirement to securely store unique usernames and passwords and validate the password provided is correct, option A. Encrypt the username, hash the password, and store these values would be the best approach.
Encrypting the username adds an extra layer of security by ensuring that even if an attacker gains access to the database, they will not be able to read the usernames. Hashing the password with a salt provides an extra layer of security for the password.
When a user logs in, the system hashes the provided password with the same salt used to hash the stored password, and then compares the resulting hash value with the stored hash value. If they match, the password is considered valid.
Option B. Hash the username, hash the password, and store these values is not recommended because if the attacker gains access to the hash values, they can use a dictionary attack to find matching usernames and passwords.
Option C. Encrypt the username, encrypt the password, and store these values is not recommended because the system needs to compare the provided password with the stored password to validate it. If the password is encrypted, the system cannot compare it with the stored value.
Option D. Hash the username, encrypt the password, and store these values is not recommended because if the attacker gains access to the hash and encrypted values, they can use a dictionary attack to find matching usernames and encrypted passwords.