What is the best practice for securely storing passwords?

A. Plaintext in a secure folder
B. Reversible encryption
C. Salted Hashes
D. ROT13

Answer: C. Salted Hashes
Explanation:

Password Storage Breakdown

•  Salted Hashes: This is the gold standard.  A "salt" is a unique, random string added to a password before it is hashed.  This ensures that even if two users have the same password, their hashes will look different.  It specifically protects against Rainbow Table attacks.

  • Example: Password + RandomSalt -> SHA-256 Hash.

• Plaintext: Storing passwords in a readable format is the ultimate security failure.  If the storage medium (database or folder) is compromised, every account is immediately lost. 

• Reversible Encryption: This involves using a key to encrypt passwords. While better than plaintext, it is risky because if an attacker steals the decryption key, they can recover every single password in the database.

• ROT13: This is a simple substitution cipher that replaces a letter with the 13th letter after it in the alphabet.  It is considered obfuscation, not true encryption, and provides zero security as it can be reversed instantly by anyone.  

   

Why the other options are incorrect

• A. Plaintext in a secure folder: Folders can be misconfigured or bypassed. Security should be inherent to the data (the password), not just its container.

• B. Reversible encryption: This creates a "single point of failure" (the key). Best practices dictate that the system should never even know what the user's password is—it should only know if the hash matches.

• D. ROT13: This is often used in puzzles or online forums to hide spoilers; it has no place in a professional security architecture.  

The "CISSP Rule of Thumb": If you are storing passwords, you want a One-Way Function (Hashing). If you want to stop bulk cracking, you add Salt.