Suppose a system stores passwords like this:

For each user, a unique salt is randomly generated and stored along with the password hash.

Additionally, the system uses a single global secret pepper, not stored in the database, but hardcoded into the backend server.

Which of the following statements are correct? (Select all that apply.)

Question

Suppose a system stores passwords like this:

For each user, a unique salt is randomly generated and stored along with the password hash.

Additionally, the system uses a single global secret pepper, not stored in the database, but hardcoded into the backend server.

Which of the following statements are correct? (Select all that apply.)

BlackTom AI · Accepted Answer

The question asks us to assess statements about a password storage scheme that uses per-user salts, a global pepper stored in the backend, and a hashed password. 
Option 1: 'Salting makes it impossible for an attacker to guess weak passwords if they have the hash and salt.' This overstates the protection. Salting does make it harder to use precomputed attacks and to relate hashes across users, but it does not render guessing weak passwords impossible. A determined attacker can still attempt brute-force or dictionary guesses, especially for weak passwords, by computing hashes with the same salt. So this claim is incorrect. 
Option 2: 'If an attacker steals the database but not the backend server, they can still easily brute-force the passwords because the salt is public.' While it’s true that salts are not secret and are stored with hashes, the statement exaggerates the ease of cracking. The salt being public does not by itself enable “easy” brute-forcing; the attacker still faces the cost of guessing the password and computing the hash, and without the pepper (which is not in the database), there is an extra layer of protection. Overall, this claim is misleading and not accurate as stated. 
Option 3: 'Salting prevents attackers from using precomputed rainbow tables effectively, even if two users have the same password.' This is correct. Salts ensure that identical passwords yield different hashes, breaking the applicability of rainbow tables, so precomputed tables aren’t useful across users. 
Option 4: 'Peppering adds extra protection — even if the database is stolen, passwords are harder to crack without server access.' This is also correct in the common model where the pepper is a server-held secret not stored in the database. Without access to the pepper (and the server), offline hash cracking becomes more difficult, because the hash inputs include the pepper value. However, note that if an attacker gains full server access, they could obtain the pepper as well, but the statement describes the protection when the database alone is stolen. Therefore this claim aligns with typical pepper usage. 
In summary, several options are designed to highlight the benefits of both salting and peppering, with option 3 clearly valid and option 4 also valid under standard pepper usage. Options 1 and 2 misstate the protections or overstate the ease of cracking, respectively, and are thus incorrect.

INFO2222 （ND） INFO2222 模拟考试

查看解析

登录即可查看完整答案

类似问题

When designing a secure system, why is hashing preferred over encryption for storing passwords?

An important technique to mitigate password dictionary attacks is to ___________.

__________ is a technique used to help protect against attacks exposing the contents of the server where password information is stored.

The best way to store passwords is:

A hash of data can be identified with attacks, so it is customary to add to a hash to ensure that the hash value appears to be different each time it is used.

In a consumer society, many adults channel creativity into buying things

Economic stress and unpredictable times have resulted in a booming industry for self-help products

People born without creativity never can develop it

更多留学生实用工具

考试浏览器助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单