ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
After a recent security assessment, an organization learned that its internal user database containing unsalted SHA-1 password hashes could be stolen. The security team must prioritize a control that specifically raises the computational cost for an attacker performing offline brute-force or dictionary attacks against the hashes. Which approach best achieves this objective?
Enforce a policy requiring users to change their passwords every 30 days.
Configure the authentication system to lock an account after five failed login attempts within 15 minutes.
Encrypt the existing SHA-1 hash file with AES-256 in CBC mode and store the encryption key on the same server.
Replace SHA-1 with bcrypt using a unique salt and at least 10,000 iterations for each password.
Offline brute-force and dictionary attacks succeed by rapidly hashing word-list or key-space candidates and comparing them to the stolen hashes. The most effective mitigation is to store passwords with an adaptive, slow hash function such as bcrypt (or scrypt/Argon2) and add a unique random salt plus a high iteration count. The salt defeats pre-computed tables, while the work factor forces attackers to spend far more CPU/GPU time per guess, exponentially reducing the feasible guessing rate. Account lockout policies only impede online guessing, not offline cracking performed on the attacker's hardware. Frequent password changes do not significantly slow an offline attack once the hash file is in hand. Encrypting the hash file with AES offers little protection if the encryption key is stored on the same server and might be compromised along with the hashes; moreover, once decrypted, the underlying fast SHA-1 hashes remain vulnerable. Therefore, migrating to salted, iterated bcrypt provides the strongest defense against offline brute-force and dictionary attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a 'salt' in password hashing?
Open an interactive chat with Bash
How does bcrypt protect against attacks?
Open an interactive chat with Bash
What is the difference between SHA-1 and bcrypt?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .