Suppose a system stores passwords like this:

For each user, a unique salt is randomly generated and stored along with the password hash.

Additionally, the system uses a single global secret pepper, not stored in the database, but hardcoded into the backend server.

Which of the following statements are correct? (Select all that apply.)

Question

Suppose a system stores passwords like this:

For each user, a unique salt is randomly generated and stored along with the password hash.

Additionally, the system uses a single global secret pepper, not stored in the database, but hardcoded into the backend server.

Which of the following statements are correct? (Select all that apply.)

BlackTom AI · Accepted Answer

The question asks us to assess statements about a password storage scheme that uses per-user salts, a global pepper stored in the backend, and a hashed password. 
Option 1: 'Salting makes it impossible for an attacker to guess weak passwords if they have the hash and salt.' This overstates the protection. Salting does make it harder to use precomputed attacks and to relate hashes across users, but it does not render guessing weak passwords impossible. A determined attacker can still attempt brute-force or dictionary guesses, especially for weak passwords, by computing hashes with the same salt. So this claim is incorrect. 
Option 2: 'If an attacker steals the database but not the backend server, they can still easily brute-force the passwords because the salt is public.' While it’s true that salts are not secret and are stored with hashes, the statement exaggerates the ease of cracking. The salt being public does not by itself enable “easy” brute-forcing; the attacker still faces the cost of guessing the password and computing the hash, and without the pepper (which is not in the database), there is an extra layer of protection. Overall, this claim is misleading and not accurate as stated. 
Option 3: 'Salting prevents attackers from using precomputed rainbow tables effectively, even if two users have the same password.' This is correct. Salts ensure that identical passwords yield different hashes, breaking the applicability of rainbow tables, so precomputed tables aren’t useful across users. 
Option 4: 'Peppering adds extra protection — even if the database is stolen, passwords are harder to crack without server access.' This is also correct in the common model where the pepper is a server-held secret not stored in the database. Without access to the pepper (and the server), offline hash cracking becomes more difficult, because the hash inputs include the pepper value. However, note that if an attacker gains full server access, they could obtain the pepper as well, but the statement describes the protection when the database alone is stolen. Therefore this claim aligns with typical pepper usage. 
In summary, several options are designed to highlight the benefits of both salting and peppering, with option 3 clearly valid and option 4 also valid under standard pepper usage. Options 1 and 2 misstate the protections or overstate the ease of cracking, respectively, and are thus incorrect.

类似问题

Scenario:Passwords are stored in a database as hashes. Even if the database is compromised, original passwords cannot be recovered. Question: Which cryptographic concept is applied?

To protect passwords in the case when an attacker obtains the password database, _ is used to prevent ___ of the passwords.

When designing a secure system, why is hashing preferred over encryption for storing passwords?

An important technique to mitigate password dictionary attacks is to ___________.

__________ is a technique used to help protect against attacks exposing the contents of the server where password information is stored.

The best way to store passwords is:

A hash of data can be identified with attacks, so it is customary to add to a hash to ensure that the hash value appears to be different each time it is used.

Which of the following trees corresponds to a potential parse of the ambiguous sentence below, with correct syntactic categories? Some diagnostics are provided.

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单