Question 17 - CertNexus ITS-110 Real Exam Questions [Jan 2026 Update]

Q: 17

Passwords should be stored…

Options

Correct Answer:

Explanation

Storing passwords as a hash value is a fundamental security best practice. Hashing is a one-way cryptographic function that converts a password into a fixed-length, non-reversible string of characters called a hash. When a user attempts to log in, the system hashes the entered password and compares it to the stored hash. This ensures that the actual password is never stored in a recoverable format, protecting user credentials even if the authentication database is compromised. Modern systems enhance this by adding a unique "salt" to each password before hashing to prevent pre-computation attacks like rainbow tables.

Why Incorrect

A. This describes a password expiration policy, a management practice, not the technical method for secure storage.

B. Storing passwords in cleartext is a critical security vulnerability that exposes them directly in case of a data breach.

D. Digital certificates are used in Public Key Infrastructure (PKI) to bind a public key to an identity, not for storing user passwords.

References

1. National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-63B: Digital Identity Guidelines

Authentication and Lifecycle Management. Section 5.1.1.2

"Memorized Secret Verifiers

" states: "Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function." (Page 19). Available: https://doi.org/10.6028/NIST.SP.800-63b

2. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278–1308. Section I.B.3

"Password Protection

" describes the foundational concept: "The password file

instead of containing a list of passwords

can contain a list of results of a one-way encryption function applied to the passwords." (Page 1285). Available: https://doi.org/10.1109/PROC.1975.9939

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014. Lecture 4: Web Security. The lecture notes explicitly state the secure method for password storage: "Store hash(password) instead of password." (Slide 29). Available: https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/mit6858f14lec4/

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE