During a penetration test, you discover that the client's web application is storing user passwords in a database using a hashing algorithm without a salt. You need to report this finding and recommend an appropriate remediation strategy. Which recommendation enhances the security of password storage?
You selected this option
Convert existing hashes to MD5 with a dynamic salt for added security.
You selected this option
Store passwords using reversible AES encryption.
You selected this option
Use SHA-256 with a dynamic salt for hashing each user's password.
You selected this option
Implement bcrypt with a dynamic salt for hashing each user's password.
The correct answer is 'Implement bcrypt with a dynamic salt for hashing each user's password.' The use of bcrypt is recommended because it is a slow hashing function specially designed for password storage. It incorporates a salt to protect against rainbow table attacks and has the ability to scale the hashing difficulty with work factors to defend against brute force attacks. The use of MD5 or any fast hashing algorithm, even with a dynamic salt, is inappropriate for password storage due to their vulnerability to brute force attacks and fast hashing speeds, which facilitate cracking efforts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is bcrypt and why is it better than other hashing algorithms?
Open an interactive chat with Bash
What is a salt, and how does it enhance password security?
Open an interactive chat with Bash
Why is using fast hashing algorithms, like SHA-256 or MD5, unsuitable for password storage?