ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A cloud development team must persist user passwords for a new public REST API that will run on a PaaS environment. To satisfy OWASP ASVS Level 2 requirements for credential storage while keeping operational overhead low, which implementation choice is MOST appropriate?
Save passwords in plaintext but restrict database access to the application account only.
Hash each password with MD5 and append a static salt value before saving.
Encrypt each password with AES-256 in ECB mode and keep the key hard-coded in the application.
Store each password as a bcrypt hash with a unique random salt and a work factor of at least 12.
OWASP ASVS Level 2 (V2.3 - Password Security) requires that passwords be stored only as salted, adaptive, one-way hashes such as bcrypt, scrypt, PBKDF2, or Argon2. Bcrypt with a sufficiently strong work factor (for example, cost 12) and a unique salt per user meets this requirement and is easy to obtain from many managed database or framework libraries. Encrypting passwords with AES-256 in ECB mode still allows decryption and uses an insecure block mode, so it violates the one-way protection requirement. MD5 is a fast, outdated hash unsuitable for password storage, even with a salt. Storing plaintext passwords, even if database access is restricted, directly contravenes ASVS prohibitions on reversible or clear-text password storage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is bcrypt and why is it suitable for storing passwords?
Open an interactive chat with Bash
Why is AES-256 encryption in ECB mode not recommended for password storage?
Open an interactive chat with Bash
Why are MD5 and other outdated hashes like SHA1 considered insecure for password storage?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .