Which attack type is described, and why does the bank’s account lockout policy NOT prevent it?

• ADictionary attack, because the attacker is using a wordlist of probable passwords that bypasses lockout by staying below the threshold
• BPassword spraying, because only one password is tested per account, making it architecturally immune to per-account lockout
• CCredential stuffing, because the attacker submits one confirmed-working credential pair per account — never triggering lockout — and exploits password reuse rather than guessing
• DBrute force, because the attacker is systematically testing every possible combination of credentials from the leaked dataset at one attempt per account

A security auditor flags this implementation as flawed. Which of the following BEST identifies the weakness?

• AThe implementation is correct — prepending the username creates a unique value for each user, which is functionally equivalent to a proper salt and fully protects against precomputed attacks
• BUsernames are deterministic and publicly known, so an attacker can precompute a targeted rainbow table per username — and SHA-256’s speed makes offline brute force practical; a randomly generated per-user salt and a slow algorithm like bcrypt are both required
• CThe flaw is that SHA-256 should be replaced with MD5, which is a more modern algorithm designed specifically for password storage
• DThe username prepend is insecure only because usernames contain special characters that corrupt the hash function input

Which statement MOST accurately identifies the policy flaw and its security consequence?

• AThe policy is sound; the employees are failing to comply, so the solution is stricter enforcement and disciplinary action for predictable passwords
• BThe flaw is the 10-character minimum; NIST recommends exactly 8 characters with maximum complexity requirements to prevent guessing
• CThe policy is flawed only because it permits special symbols, which actually reduce keyspace by narrowing what characters users choose
• DThe forced 60-day rotation violates NIST SP 800-63B, which recommends against periodic rotation because it predictably causes users to make minimal incremental changes that an attacker who knows the pattern can easily enumerate

A security engineer proposes three changes after a breach:

Which statements describe changes that would genuinely improve resistance to the attacks they claim to address?

• AI only — bcrypt is the only meaningful improvement; salting and rotation have no impact on offline cracking
• BI and II only — bcrypt slows offline cracking and rotation limits credential validity windows
• CI and III only — bcrypt genuinely slows offline brute force and random salts genuinely defeat rainbow table precomputation; forced rotation is counterproductive per NIST SP 800-63B because it drives predictable incremental passwords
• DI, II, and III — all three changes provide independent layers of defense against offline cracking attacks

Which MOST accurately identifies the attacks available to the tester AND the single control with the broadest impact across all viable attacks?

• ARainbow table attack against the bcrypt hashes and credential stuffing using the pharmacy breach data; switching to Argon2 would defend against both
• BBrute force against the bcrypt hashes and password spraying using the default credential; increasing the lockout threshold from 8 to 3 attempts would defend against both
• CPassword spraying using the default credential and dictionary attack against weak passwords; deploying bcrypt would defend against both since it slows all password-based attacks
• DPassword spraying using “Welcome2026!” against all 1,400 accounts and credential stuffing using the pharmacy breach data; MFA is the broadest single defense because it stops both attacks even when the attacker has the correct password