The head of the customer service department reports that the workload of customer requests for resetting passwords overwhelms customer service representatives (CSRs) and suggests the system in question, supported by a Linux shadow file, shall allow customers to retrieve their passwords through email or short message notification. Which of the following is the best solution that meets the requirement?
A. MD5
B. Blowfish
C. SHA-256
D. Multi-factor authentication (MFA)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Blowfish.
Not everyone is good at or comfortable with internet services or information technologies. Some people may be unfamiliar with resetting passwords and tend to call the customer service department for support.
It’s not uncommon for enterprises to allow customers to query or retrieve their passwords to reduce the workload of CSRs. However, the customers’ passwords must be encrypted instead of hashed so that customers can receive the original passwords in their mailboxes or mobile phones.
- “Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products.” (Wikipedia)
- MD5 and SHA-256 are one-way hash functions.
- If a user or customer cannot reset their passwords and has to call for support, Multi-factor authentication (MFA) will complicate the reset password process, increase the workload of CSRs, and is helpless in retrieving passwords.
Linux /etc/shadow File
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
客戶服務部門負責人報告說,客戶要求重設密碼的工作量使客戶服務代表(CSR)不堪重負,並建議該系統(使用Linux的shadow檔案)應允許客戶通過電子郵件或短信通知來查詢密碼。 以下哪項是滿足這個要求的最佳解決方案?
A. MD5
B. Blowfish
C. SHA-256
D. Multi-factor authentication (MFA)