When developing an application, what’s the best practice for handling sensitive user input like passwords?

A.  Encrypt before storage

B.  Store in plaintext, but securely

C.  Hash and salt before storage

D.  Mask with base64

Correct Answer:  C

Explanation:

A. Encrypt Before Storage
Encryption is a two-way (reversible) process. It uses an algorithm and a key to turn plaintext into ciphertext, which can later be decrypted back into its original form.

The Risk: If an organization encrypts passwords, they must manage an encryption key. If an attacker compromises the server and steals both the database and the key, they can revert every password back to plaintext.

The Use Case: Encryption is ideal for data that needs to be read again, such as credit card numbers or home addresses. However, for authentication, the system never actually needs to know your original password; it only needs to verify that the password you entered matches the one on file.

B. Store in Plaintext, But Securely
"Plaintext" means the data is stored in its original, readable form.

The Fallacy: There is no such thing as "storing plaintext securely" in a modern threat landscape. Even if the database is behind multiple firewalls, an SQL injection (SQLi) attack or a rogue administrator could easily view every user's password.

The Impact: Plaintext storage is considered gross negligence in security. It allows for effortless credential stuffing attacks across other platforms where the user might use the same password.

C. Hash and Salt Before Storage
Hashing is a one-way (non-reversible) mathematical function. Once a password is hashed, it cannot be "decrypted" back into its original form.

Why it's the Best Practice: When a user logs in, the system hashes the provided password and compares the result to the stored hash. If they match, access is granted.

The Role of the "Salt": A salt is a unique, random string of bits added to the password before hashing.

Purpose: Salting ensures that two users with the same password (e.g., "P@ssword123") will have completely different hashes in the database.

Defense: This prevents attackers from using Rainbow Tables (precomputed lists of hashes) to crack common passwords in bulk.

D. Mask with Base64
Base64 is an encoding scheme, not a security measure or an encryption method.

The Error: Encoding is used to transform binary data into a text-based format for transmission over protocols like SMTP (email). It requires no key to reverse.

The Vulnerability: Anyone who sees a Base64 string can decode it instantly using standard tools or even a simple web browser. Using Base64 for passwords is "security by obscurity" and offers zero actual protection.

Key Takeaway for the CISSP Exam

Credential Protection Summary:

• Hashing: Provides integrity and "one-way" protection.
• Salting: Prevents Rainbow Table attacks and ensures unique hashes for identical passwords.
• Key Stretching: Using algorithms like Argon2, bcrypt, or PBKDF2 to make the hashing process slower, which protects against high-speed brute-force attacks.