Chapter 53 Β· Quiz

Password Attacks Quiz

6 multiple-choice questions + 1 matching section. Select your answers, then click Submit.

Question 1 of 6
A security analyst notices that 500 different employee accounts each received exactly one failed login attempt within a 20-minute window, all using the password "123456." No account was locked out. Which attack type best describes this activity?
Question 2 of 6
An attacker obtains a copy of a web application's database containing hashed user passwords. They then run a cracking tool on their own workstation that computes millions of candidate password hashes per second and compares them to the stored digests. What is the primary reason this attack is operationally more dangerous than an online brute force attack?
Question 3 of 6
A developer is designing a new application and asks how passwords should be stored. Which answer is correct?
Question 4 of 6
An account lockout policy locks any account after 5 consecutive failed login attempts. Which password attack does this control MOST effectively mitigate, and which attack does it fail to address?
Question 5 of 6
What is the purpose of salting a password before hashing it?
Question 6 of 6
Which single control is effective against plaintext exposure, password spraying, online brute force, AND offline brute force attacks simultaneously?

Matching β€” Attack to Definition

Match each term on the left to its correct description on the right.

1. Password Spraying
2. Offline Brute Force
3. Plaintext Password Storage
4. Pre-image Resistance
A. A critical storage vulnerability in which user credentials are saved in their original unencrypted form, making them immediately readable without any computation
B. The hash function property that makes it computationally infeasible to work backward from a stored digest to determine the original password input
C. An attack that tests a few highly common passwords across many user accounts, limiting attempts per account to stay below lockout thresholds
D. An attack that operates against a locally downloaded hash file using full GPU computational power, with no interaction with the victim's authentication system