Your company sells toys online and ships globally. The online shopping website would send the original password back to the cell phone if the customer forgot the password. Which of the following is the best cryptographic algorithm used to protect the password at rest?
A. 3DES (Triple Data Encryption Algorithm)
B. Salted SHA (Secure Hash Algorithms)
C. HMAC (Hashed Message Authentication Code)
D. Hardware token

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. 3DES (Triple Data Encryption Algorithm).

There are two conventional approaches to implement the “Forgot the password” use case: “retrieve the password” and “reset the password.”

• To retrieve the password is not supported by hash-based password at rest, because the hash value is unreversible. Only encrypted passwords can be decrypted. The original password can be retrieved from the database and sent back to the customer.
• If the password is stored as the form of hash, the original password will be lost and can not be retrieved. If a customer forgot the password, there is no choice but to ask the customer to reset the password. A “salt” is a random string generated to prepend or append to the customer’s password as a whole to compute the hash value.

Even though 3DES (Triple Data Encryption Algorithm) is officially being retired, it is the only cryptographic algorithm that supports original password retrievement.

Salted SHA (Secure Hash Algorithms) means the password is prepended or appended with salt and stored as a hash.

HMAC (Hashed Message Authentication Code) complicates the “Forgot the password” scenario. HMAC generates a hash protected by a “shared key” to ensure authenticity.

Hardware token is a distractor in the case.

您的公司在線銷售玩具並在全球範圍內發貨。 如果客戶忘記了密碼，則在線購物網站會將原始密碼發送回手機。 以下哪項密碼學演算法最能保護儲存在資料庫的客戶密碼？
A. 3DES (Triple Data Encryption Algorithm)
B. Salted SHA (Secure Hash Algorithms)
C. HMAC (Hashed Message Authentication Code)
D. Hardware token