ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A development team stores user API secrets in Amazon DynamoDB as fixed-length digests so the plaintext values are never written to disk. Today they hash each secret once with SHA-256, but a security review points out the design is still vulnerable to rainbow-table attacks if the table is leaked. Which change will MOST effectively mitigate this specific risk while keeping the stored digest roughly the same 256-bit size?
Concatenate a cryptographically secure random value to each secret and then hash the combined value with SHA-256 before storing it
Encrypt each secret with an AWS KMS symmetric customer managed key before writing it to DynamoDB
Hash every secret twice-first with SHA-1 and then with SHA-256-before storing the final digest
Compress each secret with gzip and hash the compressed output using SHA-256
Rainbow-table attacks rely on the fact that the same input always produces the same stored value. By appending a unique, cryptographically secure random salt to every secret before hashing, each record is protected by a different hash function instance, forcing an attacker to generate a separate table per salt-an impractical effort. Double-hashing without a salt remains deterministic and offers no real defense. Encrypting the secrets with AWS KMS would defeat rainbow tables but returns ciphertext blobs hundreds of bytes long and introduces key-management overhead, violating the fixed-length storage requirement. Gzip compression is deterministic and adds no entropy, so it does not mitigate rainbow-table attacks. Therefore, salting each secret before hashing is the most effective solution that still fits the existing 256-bit field.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a rainbow-table attack?
Open an interactive chat with Bash
What is cryptographic salting and how does it prevent rainbow-table attacks?
Open an interactive chat with Bash
Why is SHA-256 preferred for hashing secrets in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .