nerdexam
(ISC)2

CISSP · Question #796

A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used

The correct answer is C. Use a hash function with a cost factor and a per-user random salt.. Storing passwords securely against offline attacks requires a slow, adaptive hashing algorithm with a per-user salt to make brute-force and dictionary attacks computationally expensive.

Submitted by manish99· Mar 5, 2026Software Development Security

Question

A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?

Options

  • AUse an encryption algorithm that is fast with a random per-user encryption key.
  • BUse a hash function that is fast with a per-user random salt.
  • CUse a hash function with a cost factor and a per-user random salt.
  • DUse an encryption algorithm with a random master key.

How the community answered

(21 responses)
  • A
    14% (3)
  • B
    5% (1)
  • C
    76% (16)
  • D
    5% (1)

Why each option

Storing passwords securely against offline attacks requires a slow, adaptive hashing algorithm with a per-user salt to make brute-force and dictionary attacks computationally expensive.

AUse an encryption algorithm that is fast with a random per-user encryption key.

Encryption is reversible, meaning if the master or per-user key is compromised, all passwords are immediately exposed in plaintext, which does not provide adequate protection for stored credentials.

BUse a hash function that is fast with a per-user random salt.

A fast hash function (such as MD5 or SHA-256) with a salt prevents rainbow table attacks but remains highly vulnerable to offline brute-force attacks because an attacker can compute billions of hashes per second with commodity hardware.

CUse a hash function with a cost factor and a per-user random salt.Correct

A hash function with a cost factor (such as bcrypt, scrypt, or Argon2) is specifically designed to be computationally slow and memory-intensive, making offline brute-force attacks extremely expensive even with modern hardware. The cost factor can be increased over time as hardware improves, maintaining resistance to attacks. The per-user random salt ensures that identical passwords produce different hashes, preventing rainbow table and batch-cracking attacks.

DUse an encryption algorithm with a random master key.

Encryption with a random master key is reversible and stores a single key that, if compromised, exposes all passwords simultaneously, providing no meaningful resistance to offline attacks once the key is obtained.

Concept tested: Secure password storage using adaptive hashing with salt

Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Topics

#password hashing#salting#key stretching#secure storage

Community Discussion

No community discussion yet for this question.

Full CISSP Practice