nerdexam
(ISC)2

CISSP · Question #455

Which of the following is a characteristic of a challenge/response authentication process?

The correct answer is B. Transmitting a hash based on the user's password. Challenge/response authentication is a protocol where the server sends a challenge (random value) and the client responds with a hash derived from the challenge and the user's password, never transmitting the password itself.

Submitted by dimitri_ru· Mar 5, 2026Identity and Access Management (IAM)

Question

Which of the following is a characteristic of a challenge/response authentication process?

Options

  • APresenting distorted graphics of text for authentication
  • BTransmitting a hash based on the user's password
  • CUsing a password history blacklist
  • DRequiring the use of non-consecutive numeric characters

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    94% (29)
  • C
    3% (1)

Why each option

Challenge/response authentication is a protocol where the server sends a challenge (random value) and the client responds with a hash derived from the challenge and the user's password, never transmitting the password itself.

APresenting distorted graphics of text for authentication

Presenting distorted graphics of text describes CAPTCHA, which is a human-verification mechanism to distinguish bots from humans, not a challenge/response authentication protocol.

BTransmitting a hash based on the user's passwordCorrect

In a challenge/response authentication scheme, the server issues a random challenge value, and the client computes a hash using the challenge combined with the user's password or credential, then sends only the hash back. This proves knowledge of the password without ever transmitting it in plaintext, which is the defining characteristic of the protocol (e.g., CHAP, NTLM, or MS-CHAPv2).

CUsing a password history blacklist

Using a password history blacklist is a password policy control that prevents reuse of previous passwords, which is unrelated to the challenge/response authentication mechanism.

DRequiring the use of non-consecutive numeric characters

Requiring non-consecutive numeric characters is a password complexity rule enforced during password creation, not a characteristic of the challenge/response authentication process.

Concept tested: Challenge/response authentication protocol characteristics

Source: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-chap/8f59d9e6-b660-4b18-b2d9-d7db09b8a3e6

Topics

#challenge/response authentication#hashing#authentication protocols

Community Discussion

No community discussion yet for this question.

Full CISSP Practice