CompTIA CASP+ (CAS-003) — Question 185

A security consultant was hired to audit a company's password are account policy. The company implements the following controls:
✑ Minimum password length: 16
✑ Maximum password age: 0
✑ Minimum password age: 0
✑ Password complexity: disabled
✑ Store passwords in plain text: disabled
✑ Failed attempts lockout: 3
✑ Lockout timeout: 1 hour
The password database uses salted hashes and PBKDF2. Which of the following is MOST likely to yield the greatest number of plain text passwords in the shortest amount of time?

Answer options

• A. Offline hybrid dictionary attack
• B. Offline brute-force attack
• C. Online hybrid dictionary password spraying attack
• D. Rainbow table attack
• E. Online brute-force attack
• F. Pass-the-hash attack

Correct answer: C

Explanation

The correct answer is C, as the online hybrid dictionary password spraying attack can efficiently test multiple common passwords across many accounts without being locked out quickly. Other methods, such as brute-force attacks and rainbow table attacks, may be limited by the account lockout policies and the complexity of the hashing, making them less effective in a short time frame.