nerdexam
(ISC)2

CISSP · Question #1388

When testing password strength, which of the following is the BEST method for brute forcing passwords?

The correct answer is A. Conduct an offline attack on the hashed password information.. Offline attacks against hashed passwords allow unlimited guessing attempts without lockout, making them the most effective brute force method for testing password strength.

Submitted by packet_pusher· Mar 5, 2026Security Assessment and Testing

Question

When testing password strength, which of the following is the BEST method for brute forcing passwords?

Options

  • AConduct an offline attack on the hashed password information.
  • BConduct an online password attack until the account being used is locked.
  • CUse a comprehensive list of words to attempt to guess the password.
  • DUse social engineering methods to attempt to obtain the password.

How the community answered

(46 responses)
  • A
    65% (30)
  • B
    11% (5)
  • C
    17% (8)
  • D
    7% (3)

Why each option

Offline attacks against hashed passwords allow unlimited guessing attempts without lockout, making them the most effective brute force method for testing password strength.

AConduct an offline attack on the hashed password information.Correct

An offline attack involves obtaining a copy of the hashed password database and running brute force attempts locally against the hashes, bypassing account lockout policies entirely. This allows an attacker or tester to attempt millions or billions of password combinations per second using tools like Hashcat or John the Ripper without any network-imposed throttling or lockout risk, making it the most thorough and efficient brute force method.

BConduct an online password attack until the account being used is locked.

An online password attack sends guesses directly to the authentication service in real time, which is severely limited by account lockout policies and network latency, making it impractical for true brute force testing.

CUse a comprehensive list of words to attempt to guess the password.

Using a comprehensive word list describes a dictionary attack, which is a specific subset of password guessing that relies on common words rather than exhaustively trying all possible character combinations as true brute forcing requires.

DUse social engineering methods to attempt to obtain the password.

Social engineering is a human-manipulation technique used to trick individuals into revealing credentials and is not a brute force method, as it does not involve systematically guessing or cracking passwords algorithmically.

Concept tested: Offline vs online brute force password attack methods

Source: https://attack.mitre.org/techniques/T1110/001/

Topics

#Password cracking#Brute-force attack#Hashing#Offline attack

Community Discussion

No community discussion yet for this question.

Full CISSP Practice