Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 134

All but the most rudimentary legacy systems actually store a hash of a user's password, passphrase, or other Type I factor value; if an attacker exfiltrates a copy of the stored hash of the factor, they face a computationally infeasible (or tremendous brute force) burden of trying to unhash that back into its original plaintext form. This hash function should be applied at the endpoint device at which the user enters the factor so that only the hash is transmitted to the access control system.

Secure hash functions can be made much more secure by appending a pseudorandomly generated salt value to the input plaintext version of the factor before hashing it. Secure frameworks and systems tools make it easier for systems administrators to add salt to their hash function use and provide many powerful ways to select and manage salts.

There is no practical reason why the plaintext version of a Type I factor has to be stored in your system—anywhere.