CISSP · Question #1388
When testing password strength, which of the following is the BEST method for brute forcing passwords?
The correct answer is A. Conduct an offline attack on the hashed password information.. Offline attacks against hashed passwords allow unlimited guessing attempts without lockout, making them the most effective brute force method for testing password strength.
Question
Options
- AConduct an offline attack on the hashed password information.
- BConduct an online password attack until the account being used is locked.
- CUse a comprehensive list of words to attempt to guess the password.
- DUse social engineering methods to attempt to obtain the password.
How the community answered
(46 responses)- A65% (30)
- B11% (5)
- C17% (8)
- D7% (3)
Why each option
Offline attacks against hashed passwords allow unlimited guessing attempts without lockout, making them the most effective brute force method for testing password strength.
An offline attack involves obtaining a copy of the hashed password database and running brute force attempts locally against the hashes, bypassing account lockout policies entirely. This allows an attacker or tester to attempt millions or billions of password combinations per second using tools like Hashcat or John the Ripper without any network-imposed throttling or lockout risk, making it the most thorough and efficient brute force method.
An online password attack sends guesses directly to the authentication service in real time, which is severely limited by account lockout policies and network latency, making it impractical for true brute force testing.
Using a comprehensive word list describes a dictionary attack, which is a specific subset of password guessing that relies on common words rather than exhaustively trying all possible character combinations as true brute forcing requires.
Social engineering is a human-manipulation technique used to trick individuals into revealing credentials and is not a brute force method, as it does not involve systematically guessing or cracking passwords algorithmically.
Concept tested: Offline vs online brute force password attack methods
Source: https://attack.mitre.org/techniques/T1110/001/
Topics
Community Discussion
No community discussion yet for this question.