Password Hashing & Salting – Protecting Credentials

1. Which of the following best describes password hashing?

A) Encrypting a password so it can be decrypted later
B) Converting a password into a fixed-length string that cannot be reversed
C) Storing passwords in plaintext for easy retrieval
D) Using symmetric encryption to protect passwords

✅ Answer: B
🔹 Explanation: Password hashing transforms a password into a fixed-length string that cannot be reversed. Unlike encryption, hashing is a one-way function, meaning the original password cannot be derived from the hash.

---

2. Why is salting used in password hashing?

A) To make password storage faster
B) To make brute-force attacks easier
C) To ensure two users with the same password have different hash values
D) To replace the password with a secret key

✅ Answer: C
🔹 Explanation: A salt is a unique, random string added to each password before hashing. This ensures that even if two users have the same password, their stored hashes will be different, preventing rainbow table attacks.

---

3. Which of the following hashing algorithms is considered the most secure for password storage?

A) MD5
B) SHA-256
C) bcrypt
D) DES

✅ Answer: C
🔹 Explanation: bcrypt is specifically designed for password hashing and includes a work factor that makes it computationally expensive, slowing down brute-force attacks. MD5 and SHA-256 are fast and should not be used for password hashing.

---

4. What is a key weakness of using SHA-256 for password hashing?

A) It produces variable-length hashes
B) It is not a cryptographic function
C) It is too fast, making brute-force attacks easier
D) It does not generate unique hash values

✅ Answer: C
🔹 Explanation: SHA-256 is too fast, making it unsuitable for password hashing. Attackers can brute-force billions of guesses per second. Secure hashing algorithms like bcrypt, scrypt, or Argon2 are preferred since they introduce computational delay.

---

5. What is a rainbow table attack?

A) A brute-force attack using a custom wordlist
B) A method to decrypt a hash directly
C) A precomputed table of hash values for common passwords
D) A side-channel attack on password storage

✅ Answer: C
🔹 Explanation: A rainbow table attack involves using precomputed hash values for common passwords to quickly match them against stolen hashes. Salting passwords prevents this attack by making each stored hash unique.

---

6. What is the recommended hashing algorithm for new applications?

A) MD5
B) SHA-1
C) Argon2
D) Base64

✅ Answer: C
🔹 Explanation: Argon2 is the recommended password hashing algorithm because it is memory-hard, making it resistant to GPU-based brute-force attacks.

---

7. How does peppering differ from salting?

A) Peppering uses a secret key known only to the server
B) Peppering adds a unique value to each password
C) Peppering is another name for hashing
D) Peppering is a deprecated technique

✅ Answer: A
🔹 Explanation: Peppering adds an additional secret key (not stored in the database) to the password before hashing. This means even if an attacker gains access to the database, they cannot crack the hashes without the pepper value.

---

8. Why is MD5 considered insecure for password hashing?

A) It generates long hash values
B) It requires a key to hash passwords
C) It is vulnerable to fast brute-force and collision attacks
D) It does not work with modern operating systems

✅ Answer: C
🔹 Explanation: MD5 is fast and weak, making it vulnerable to brute-force and collision attacks. It should never be used for password storage.

---

9. How can attackers exploit unsalted password hashes?

A) By using rainbow tables
B) By using public key cryptography
C) By injecting SQL queries
D) By encrypting the hashes

✅ Answer: A
🔹 Explanation: Without salts, attackers can use precomputed hash values (rainbow tables) to quickly crack passwords.

---

10. Which factor improves the security of password hashing?

A) Using faster hash functions
B) Storing the hash in plaintext
C) Using a slow, computationally expensive hashing function
D) Reusing the same salt for all users

✅ Answer: C
🔹 Explanation: Using slow, computationally expensive hashing functions (e.g., bcrypt, Argon2) increases the time required to crack hashes via brute-force attacks.

---

11. What is the primary purpose of a salt in password hashing?

A) To make brute-force attacks impossible
B) To prevent hash collisions
C) To add randomness, making precomputed attacks ineffective
D) To encrypt the password

✅ Answer: C
🔹 Explanation: A salt adds randomness to each password hash, ensuring rainbow tables are ineffective.

---

12. What does bcrypt’s cost factor control?

A) The length of the hash
B) The amount of computational effort required to compute the hash
C) The size of the salt
D) The length of the password

✅ Answer: B
🔹 Explanation: The cost factor in bcrypt determines the number of iterations, making it slower and harder to brute-force.

---

13. Which hashing method is most resistant to GPU-based brute-force attacks?

A) SHA-1
B) bcrypt
C) MD5
D) AES-256

✅ Answer: B
🔹 Explanation: bcrypt introduces computational delay, making it resistant to parallel brute-force attacks using GPUs.

---

14. How does scrypt differ from bcrypt?

A) scrypt is optimized for hashing smaller passwords
B) scrypt requires less memory
C) scrypt is designed to be memory-intensive, making it harder for attackers to crack using hardware
D) bcrypt is faster than scrypt

✅ Answer: C
🔹 Explanation: scrypt is a memory-hard function, making it much more difficult for ASIC and GPU-based attacks.

---

15. What is the best practice for storing user passwords?

A) Encrypting them with AES-256
B) Hashing with SHA-256
C) Hashing with bcrypt or Argon2 and adding a unique salt
D) Storing them in plaintext

✅ Answer: C
🔹 Explanation: Secure password storage requires hashing with a strong algorithm (e.g., bcrypt, Argon2) and using a unique salt.

---

16. What is an adaptive hashing algorithm?

A) A hash function that changes over time to remain secure
B) A hash function that adapts based on the length of the password
C) A hash function that encrypts data
D) A hash function that does not use salts

✅ Answer: A
🔹 Explanation: Adaptive hashing functions like bcrypt, Argon2, and PBKDF2 allow the computation time to be increased as hardware gets faster.

---

17. What is an offline attack?

A) An attack that requires network access
B) An attack on a live system
C) An attack where password hashes are stolen and cracked later
D) An attack that requires brute-force authentication

✅ Answer: C
🔹 Explanation: In an offline attack, an attacker has stolen the password hashes and cracks them locally without interacting with the server.

---

18. What happens if the same salt is used for all stored password hashes?

A) It enhances security by creating a consistent hashing mechanism
B) It makes brute-force attacks more difficult
C) It makes rainbow table attacks feasible for cracking multiple passwords at once
D) It prevents dictionary attacks

✅ Answer: C
🔹 Explanation: If the same salt is used for all passwords, attackers can generate precomputed tables specific to that salt, making it easier to crack multiple password hashes.

---

19. Why is it a bad practice to hash passwords without a salt?

A) It increases password cracking speed
B) It allows attackers to use rainbow tables to crack passwords efficiently
C) It makes hashing slower
D) It prevents brute-force attacks

✅ Answer: B
🔹 Explanation: Without a salt, attackers can use precomputed hash tables (rainbow tables) to crack passwords instantly if they match a known hash.

---

20. What is the primary advantage of Argon2 over bcrypt?

A) Argon2 is faster than bcrypt
B) Argon2 is memory-hard, making it resistant to GPU-based attacks
C) Argon2 uses weaker encryption for better performance
D) Argon2 does not require salts

✅ Answer: B
🔹 Explanation: Argon2 is memory-hard, meaning it requires significant RAM to compute. This makes GPU-based attacks significantly harder compared to bcrypt.

---

21. What role does key stretching play in password security?

A) It reduces the time required for hashing
B) It increases the computational cost of password hashing to slow down brute-force attacks
C) It replaces the need for salts
D) It converts a password hash into an encrypted format

✅ Answer: B
🔹 Explanation: Key stretching (e.g., PBKDF2, bcrypt, Argon2) makes brute-force attacks slower by adding computational overhead.

---

22. How does a work factor in password hashing improve security?

A) It makes hash computations faster
B) It determines how much memory is used in hashing
C) It increases the time required for hash calculations, slowing brute-force attempts
D) It allows passwords to be decrypted easily

✅ Answer: C
🔹 Explanation: A work factor (cost factor) in bcrypt or Argon2 allows administrators to increase the computational difficulty over time as hardware improves.

---

23. Which attack attempts all possible password combinations?

A) Dictionary attack
B) Brute-force attack
C) Phishing attack
D) Man-in-the-middle attack

✅ Answer: B
🔹 Explanation: A brute-force attack systematically tries every possible password until it finds a match.

---

24. How can a system protect against brute-force attacks on password hashes?

A) Use a strong, slow hashing function like bcrypt or Argon2
B) Use fast hashing functions like MD5
C) Store passwords in plaintext for quick verification
D) Remove the need for user authentication

✅ Answer: A
🔹 Explanation: Slow hashing functions like bcrypt, Argon2, and PBKDF2 reduce the effectiveness of brute-force attacks by increasing computational effort.

---

25. What does “entropy” mean in the context of passwords?

A) The randomness and unpredictability of a password
B) The speed of the hashing function
C) The ability to decrypt a password hash
D) The number of times a password has been used

✅ Answer: A
🔹 Explanation: Higher entropy means a password is more random and unpredictable, making it harder to guess.

---

26. Why is it important to hash passwords before storing them?

A) To prevent users from reusing passwords
B) To protect passwords even if the database is compromised
C) To increase the speed of authentication
D) To reduce storage space

✅ Answer: B
🔹 Explanation: Hashing ensures that even if an attacker steals the database, they cannot retrieve plaintext passwords easily.

---

27. What is the primary goal of password hashing algorithms like Argon2 and bcrypt?

A) To encrypt passwords for later decryption
B) To securely store passwords in a way that is difficult to reverse
C) To store passwords in plaintext for fast retrieval
D) To replace the need for passwords

✅ Answer: B
🔹 Explanation: Password hashing algorithms make it computationally expensive to reverse the hash, improving security.

---

28. What additional protection does “peppering” provide?

A) Prevents brute-force attacks completely
B) Adds a secret key that is not stored in the database, making cracking harder
C) Replaces the need for hashing
D) Allows the password to be easily recovered if lost

✅ Answer: B
🔹 Explanation: Peppering adds a secret key that is not stored in the database, making stolen hashes useless without the pepper.

---

29. Why should users never reuse passwords?

A) It makes logging in easier
B) It increases vulnerability to credential stuffing attacks
C) It helps websites store fewer hashes
D) It speeds up authentication

✅ Answer: B
🔹 Explanation: Credential stuffing attacks exploit password reuse by trying the same credentials on multiple websites.

---

30. What is the main difference between salting and peppering?

A) Salting is public, while peppering is secret
B) Peppering replaces hashing
C) Salting is optional, but peppering is required
D) They are the same

✅ Answer: A
🔹 Explanation: A salt is stored with the hash, while a pepper is secret and not stored in the database.

---

31. Why is SHA-1 not recommended for password hashing?

A) It is too slow
B) It is vulnerable to collision attacks
C) It does not work on modern systems
D) It does not produce unique hashes

✅ Answer: B
🔹 Explanation: SHA-1 is insecure due to collision vulnerabilities, meaning attackers can find two different inputs with the same hash.

---

32. What is the purpose of iterations in PBKDF2?

A) To make hashing faster
B) To increase hashing complexity and slow down brute-force attacks
C) To replace the need for a salt
D) To reduce storage requirements

✅ Answer: B
🔹 Explanation: Iterations in PBKDF2 make brute-force attacks slower by requiring more computational effort.

---

33. What is the best way to handle a compromised password database?

A) Reset all user passwords and enforce stronger hashing
B) Decrypt all stored passwords
C) Delete user accounts
D) Store passwords in plaintext temporarily

✅ Answer: A
🔹 Explanation: If passwords are leaked, immediately reset all passwords and upgrade to a stronger hashing algorithm.

---

34. What is a common mistake in password hashing implementation?

A) Using a unique salt for each password
B) Storing passwords in plaintext
C) Using bcrypt for hashing
D) Using a high cost factor

✅ Answer: B
🔹 Explanation: Storing passwords in plaintext is a critical security flaw.

---

35. What is a good practice for password hashing?

A) Using a fast hashing algorithm
B) Using a memory-hard function like Argon2
C) Using the same salt for all users
D) Storing passwords with symmetric encryption

✅ Answer: B
🔹 Explanation: Memory-hard functions like Argon2 protect against parallel brute-force attacks.

---

36. Which of the following best describes the role of a “work factor” in bcrypt?

A) It defines the length of the generated hash
B) It determines the amount of computational effort needed to derive a hash
C) It ensures the hash can be reversed if needed
D) It replaces the need for a salt

✅ Answer: B
🔹 Explanation: The work factor (cost parameter) in bcrypt increases computational effort, making it more difficult for attackers to brute-force passwords as hardware improves.

---

37. Which of the following is NOT a common attack on password storage?

A) Brute-force attacks
B) SQL Injection
C) Rainbow table attacks
D) Public key cryptography attacks

✅ Answer: D
🔹 Explanation: Public key cryptography is used for encryption and secure communications, not for attacking password storage. Other options (brute-force, SQL injection, and rainbow tables) are commonly used to attack passwords.

---

38. How does the Argon2 hashing algorithm protect against attackers using specialized hardware like ASICs and GPUs?

A) It includes a built-in salt function
B) It is memory-hard, requiring large amounts of RAM
C) It encrypts the password before hashing
D) It uses symmetric cryptographic keys

✅ Answer: B
🔹 Explanation: Argon2 is designed to be memory-hard, making it expensive for attackers using specialized hardware such as ASICs and GPUs.

---

39. Why is it recommended to update password hashing algorithms periodically?

A) To ensure compatibility with older operating systems
B) To allow users to retrieve their passwords when needed
C) To counteract increasing computing power and advancements in attack techniques
D) To store passwords more efficiently

✅ Answer: C
🔹 Explanation: As computational power increases, older hashing algorithms become easier to break, so periodically updating to a stronger algorithm improves security.

---

40. Which of the following is a major risk of using unsalted hashes?

A) Increased storage requirements
B) Hash collisions in small datasets
C) Predictability of hashes, enabling rainbow table attacks
D) Inability to verify passwords

✅ Answer: C
🔹 Explanation: Unsalted hashes allow attackers to use precomputed hash databases (rainbow tables) to crack passwords instantly.

---

41. What is the impact of choosing a weak salt in password hashing?

A) It improves performance without reducing security
B) It allows passwords to be decrypted faster
C) It makes brute-force and rainbow table attacks more feasible
D) It reduces storage space needed for password hashes

✅ Answer: C
🔹 Explanation: If a weak or predictable salt is used, attackers can precompute hashes, making brute-force attacks more effective.

---

42. Why should bcrypt and Argon2 be preferred over general-purpose hash functions like SHA-256 for password storage?

A) They are faster than SHA-256
B) They are resistant to brute-force attacks due to their computational cost
C) They do not require salts
D) They generate smaller hash outputs

✅ Answer: B
🔹 Explanation: bcrypt and Argon2 are specifically designed for password hashing, incorporating features that increase computational cost and slow down brute-force attacks.

---

43. What is a dictionary attack?

A) An attack that replaces encrypted passwords with predefined values
B) An attack where a list of commonly used passwords is tested against a system
C) A method of encrypting passwords using a predefined dictionary
D) A technique that converts hashed passwords back to plaintext

✅ Answer: B
🔹 Explanation: A dictionary attack involves testing a list of common passwords against a system to gain unauthorized access.

---

44. What is a secure approach for upgrading password hashing algorithms in an application?

A) Rehash passwords using the new algorithm when users log in
B) Convert all hashes to the new format immediately
C) Keep both the old and new hash for each password
D) Require users to change their password manually

✅ Answer: A
🔹 Explanation: A secure way to upgrade password hashes is to rehash them when users log in. This ensures passwords are gradually migrated to a stronger algorithm without forcing immediate resets.

---

45. What is key stretching in password hashing?

A) A technique to reduce storage space for hashes
B) A method to expand short passwords into longer ones
C) A way to make brute-force attacks more expensive by applying multiple hashing iterations
D) A way to encrypt passwords before hashing

✅ Answer: C
🔹 Explanation: Key stretching increases computational cost by applying multiple iterations of a hashing algorithm, making brute-force attacks more difficult.

---

46. Which of the following is a common mistake when implementing password hashing?

A) Using a unique salt for each password
B) Using a computationally expensive hashing algorithm
C) Storing the salt and hash together
D) Using fast cryptographic hash functions like SHA-256

✅ Answer: D
🔹 Explanation: Fast cryptographic hash functions like SHA-256 are not suitable for password storage because they allow attackers to perform brute-force attacks quickly.

---

47. How can a system protect users from having weak passwords?

A) By forcing password changes every 30 days
B) By implementing password complexity rules and strength meters
C) By storing passwords in plaintext for easy retrieval
D) By blocking account access after one failed login attempt

✅ Answer: B
🔹 Explanation: Implementing password complexity rules and strength meters helps users create stronger, more secure passwords.

---

48. Why is it important to use a high iteration count in PBKDF2?

A) It reduces storage space for password hashes
B) It makes password verification faster
C) It increases the time required for hashing, slowing brute-force attacks
D) It makes hashing easier for weak passwords

✅ Answer: C
🔹 Explanation: Increasing the iteration count in PBKDF2 makes hashing slower, significantly reducing the effectiveness of brute-force attacks.

---

49. What is one major drawback of using PBKDF2 compared to Argon2?

A) PBKDF2 does not use a salt
B) PBKDF2 does not support variable-length hashes
C) PBKDF2 is not memory-hard, making it more vulnerable to GPU-based attacks
D) PBKDF2 produces weak hashes

✅ Answer: C
🔹 Explanation: PBKDF2 lacks memory-hard properties, making it easier to crack with GPUs compared to Argon2, which is memory-hard.

---

50. What is an advantage of using a passphrase instead of a regular password?

A) Passphrases can be hashed faster
B) Passphrases are typically longer and have higher entropy, making them harder to brute-force
C) Passphrases eliminate the need for hashing
D) Passphrases are easier to guess

✅ Answer: B
🔹 Explanation: Passphrases are longer and contain more entropy, making them significantly harder to brute-force or guess.

---

51. What is the primary purpose of a cryptographic salt in password hashing?

A) To allow password hashes to be reversed when needed
B) To ensure that identical passwords produce different hashes
C) To increase the length of the password
D) To make hashing faster

✅ Answer: B
🔹 Explanation: A cryptographic salt ensures that even if two users choose the same password, their stored hashes will be different, preventing attackers from using precomputed hash tables.

---

52. What is a common characteristic of key derivation functions (KDFs) used for password hashing?

A) They are optimized for fast computation
B) They include a work factor to slow down brute-force attacks
C) They generate identical hashes for the same input without variation
D) They store the original password in encrypted form

✅ Answer: B
🔹 Explanation: Key derivation functions (KDFs) like PBKDF2, bcrypt, and Argon2 use work factors to increase computational effort, slowing down brute-force attacks.

---

53. What is the main advantage of using memory-hard hashing algorithms like Argon2?

A) They prevent password reuse
B) They require more memory, making large-scale brute-force attacks more difficult
C) They generate shorter hash outputs
D) They use symmetric encryption to protect hashes

✅ Answer: B
🔹 Explanation: Memory-hard algorithms like Argon2 require significant RAM, making brute-force attacks harder to execute on GPUs and specialized hardware.

---

54. Why should applications enforce a minimum password length requirement?

A) Shorter passwords are harder to remember
B) Longer passwords increase entropy, making brute-force attacks more difficult
C) Short passwords can always be cracked instantly
D) Minimum length requirements make hashing more secure

✅ Answer: B
🔹 Explanation: Longer passwords increase entropy (randomness), making them harder to crack via brute-force or dictionary attacks.

---

55. What is the recommended password hashing approach for modern applications?

A) Encrypt passwords instead of hashing them
B) Use bcrypt, Argon2, or PBKDF2 with a unique salt for each password
C) Store passwords in plaintext for faster authentication
D) Use MD5 for quick and efficient password hashing

✅ Answer: B
🔹 Explanation: bcrypt, Argon2, and PBKDF2 are designed specifically for password hashing and should be used with unique salts.

---

56. How does an attacker typically exploit weak password hashing implementations?

A) By using SQL Injection to manipulate database queries
B) By launching brute-force and dictionary attacks on stolen password hashes
C) By bypassing the hashing function and gaining direct access to passwords
D) By using phishing attacks to trick users into revealing passwords

✅ Answer: B
🔹 Explanation: If an attacker steals password hashes, they can use brute-force and dictionary attacks to attempt to recover plaintext passwords.

---

57. Which of the following is an example of a poor password storage practice?

A) Hashing passwords with bcrypt and using a unique salt
B) Storing passwords in plaintext
C) Using Argon2 with an appropriate cost factor
D) Implementing PBKDF2 with a high iteration count

✅ Answer: B
🔹 Explanation: Storing passwords in plaintext is one of the worst security practices, making stolen credentials immediately exploitable.

---

58. What does increasing the iteration count in PBKDF2 accomplish?

A) It makes password hashing slower, increasing the cost of brute-force attacks
B) It reduces the size of the stored hash
C) It eliminates the need for a salt
D) It speeds up password verification

✅ Answer: A
🔹 Explanation: Increasing iterations makes hashing more computationally expensive, slowing down brute-force attacks.

---

59. What makes SHA-512 unsuitable for storing user passwords?

A) It generates hashes that are too long
B) It is too fast, making brute-force attacks easier
C) It does not support salting
D) It cannot hash passwords longer than 16 characters

✅ Answer: B
🔹 Explanation: SHA-512 is optimized for speed, making brute-force attacks faster and more efficient. Password hashing functions should be computationally expensive.

---

60. Which of the following best describes a “pepper” in password security?

A) A unique, random string added to each password before hashing
B) A secret key stored separately from the database to add extra protection
C) A public key used in asymmetric encryption
D) A hashing function that does not require a salt

✅ Answer: B
🔹 Explanation: A pepper is a secret key stored separately from the database, adding an extra layer of security in case the database is compromised.

---

61. What happens if an application reuses salts across multiple users?

A) It improves hashing speed
B) It allows attackers to use rainbow table attacks more effectively
C) It increases the strength of password hashes
D) It makes password recovery easier for users

✅ Answer: B
🔹 Explanation: Reusing salts makes hash values predictable, allowing attackers to precompute hash tables for brute-force attacks.

---

62. What is a practical limitation of increasing the work factor in bcrypt too much?

A) It increases storage space
B) It slows down legitimate user authentication too much
C) It reduces password strength
D) It makes salting unnecessary

✅ Answer: B
🔹 Explanation: A very high work factor in bcrypt can slow down user logins significantly, creating a poor user experience.

---

63. What is one method to protect against offline brute-force attacks on password hashes?

A) Enforcing password rotation every 30 days
B) Using multi-factor authentication
C) Using slow, computationally expensive hash functions
D) Storing passwords in a separate database

✅ Answer: C
🔹 Explanation: Slow hash functions like Argon2 and bcrypt make offline brute-force attacks computationally expensive.

---

64. Why is HMAC (Hash-based Message Authentication Code) not commonly used for password hashing?

A) It cannot hash passwords longer than 16 characters
B) It does not allow salting
C) It requires a secret key, which is impractical for user authentication
D) It is not a cryptographic function

✅ Answer: C
🔹 Explanation: HMAC requires a secret key, which is impractical for hashing user passwords because it requires secure key management.

---

65. What type of attack involves guessing passwords based on common words and phrases?

A) Brute-force attack
B) Dictionary attack
C) Credential stuffing attack
D) SQL Injection attack

✅ Answer: B
🔹 Explanation: A dictionary attack systematically tests common words, phrases, and previously leaked passwords against login systems.

---

66. Which hashing algorithm is specifically designed for password hashing?

A) MD5
B) bcrypt
C) SHA-1
D) RSA

✅ Answer: B
🔹 Explanation: bcrypt is designed for password hashing, while MD5 and SHA-1 are general-purpose hash functions.

---

67. What is the best way to handle forgotten passwords securely?

A) Store passwords in plaintext so they can be retrieved
B) Allow users to reset their password via email verification
C) Display the user’s password hint on the login page
D) Use reversible encryption for stored passwords

✅ Answer: B
🔹 Explanation: Secure password reset mechanisms (such as email verification) allow users to recover their accounts without exposing credentials.

---

68. What is one major disadvantage of storing password hashes in a database?

A) Hashes can be reversed easily
B) If the database is compromised, attackers can attempt brute-force attacks on the hashes
C) Hashing increases storage space requirements significantly
D) Password hashes slow down database performance

✅ Answer: B
🔹 Explanation: If password hashes are stolen, attackers can perform offline brute-force attacks to crack them.

---

69. What is a recommended best practice when implementing password policies?

A) Enforce complex passwords and require frequent password changes
B) Allow weak passwords for ease of access
C) Store passwords using symmetric encryption
D) Disable user accounts after one failed login attempt

✅ Answer: A
🔹 Explanation: Strong password policies (complexity requirements and rotation rules) help reduce security risks.

---

70. What is the primary security benefit of using passphrases instead of passwords?

A) Passphrases are longer and more resistant to brute-force attacks
B) Passphrases are easier for attackers to crack
C) Passphrases eliminate the need for hashing
D) Passphrases are faster to type

✅ Answer: A
🔹 Explanation: Passphrases are longer and contain more entropy, making them significantly harder to brute-force or guess.

---

71. What is one reason why a system should avoid forcing frequent password changes?

A) It increases the security of stored hashes
B) Users may choose weaker passwords due to frustration
C) It helps prevent brute-force attacks
D) It allows attackers to access accounts more easily

✅ Answer: B
🔹 Explanation: Forcing frequent password changes can cause users to select weaker, more predictable passwords, making them easier to guess or crack.

---

72. Which method is most effective for protecting password hashes from offline attacks?

A) Using a fast hashing algorithm
B) Encrypting password hashes
C) Using a slow, computationally expensive hashing function like Argon2
D) Storing passwords with Base64 encoding

✅ Answer: C
🔹 Explanation: Argon2, bcrypt, and PBKDF2 are slow and computationally expensive, making offline brute-force attacks impractical.

---

73. What is a major security risk of storing password hashes without a salt?

A) It increases the length of the password
B) It allows two users with the same password to have identical hashes
C) It makes hashing slower
D) It prevents brute-force attacks

✅ Answer: B
🔹 Explanation: Without a salt, identical passwords will always produce the same hash, making attacks using precomputed hash tables (rainbow tables) possible.

---

74. Why is password stretching important in password hashing?

A) It increases the hash length
B) It slows down brute-force attacks by increasing hashing iterations
C) It allows passwords to be stored in plaintext
D) It makes passwords shorter and easier to remember

✅ Answer: B
🔹 Explanation: Password stretching (e.g., PBKDF2, bcrypt, Argon2) makes it computationally expensive to hash passwords, slowing brute-force attacks.

---

75. What is the recommended action if a password database is compromised?

A) Keep the same hashing method and alert users
B) Reset all passwords and implement a stronger hashing algorithm
C) Encrypt the database to make it more secure
D) Increase the length of all stored passwords

✅ Answer: B
🔹 Explanation: A breach requires immediate password resets and potentially upgrading to a stronger hashing function to prevent future attacks.

---

76. What is the role of a pepper in password hashing?

A) It replaces the salt
B) It adds an additional secret value not stored in the database
C) It speeds up hash computation
D) It enables password recovery

✅ Answer: B
🔹 Explanation: A pepper is a secret value stored separately from the database, adding an extra layer of security.

---

77. Why is using a common salt across all users insecure?

A) It makes password recovery easier
B) It allows attackers to precompute password hashes
C) It prevents brute-force attacks
D) It speeds up login authentication

✅ Answer: B
🔹 Explanation: A common salt allows attackers to precompute hash values, making rainbow table attacks feasible.

---

78. What is the impact of a low work factor in bcrypt hashing?

A) It makes hashing faster, reducing login delays
B) It strengthens password security
C) It makes brute-force attacks easier
D) It prevents hash collisions

✅ Answer: C
🔹 Explanation: A low work factor means hashing is too fast, allowing attackers to guess more passwords per second.

---

79. What does “entropy” in passwords refer to?

A) The amount of randomness in a password
B) The speed at which a password is hashed
C) The time it takes to recover a password
D) The number of characters in a password

✅ Answer: A
🔹 Explanation: Higher entropy means more randomness, making passwords harder to guess or crack.

---

80. Why is SHA-256 not the best choice for password hashing?

A) It is too slow for modern systems
B) It is designed for speed, making brute-force attacks easier
C) It does not generate unique hashes
D) It cannot hash long passwords

✅ Answer: B
🔹 Explanation: SHA-256 is a fast cryptographic hash function, making it unsuitable for password hashing because it allows rapid brute-force attacks.

---

81. What is the primary goal of key stretching in password hashing?

A) To make brute-force attacks more expensive by requiring multiple hashing iterations
B) To reduce storage requirements for password hashes
C) To allow easy password retrieval when needed
D) To create shorter hashes

✅ Answer: A
🔹 Explanation: Key stretching techniques (e.g., bcrypt, PBKDF2, Argon2) make brute-force attacks significantly more time-consuming and computationally expensive.

---

82. What is a credential stuffing attack?

A) Guessing passwords using brute-force techniques
B) Using previously leaked username-password pairs on multiple services
C) Cracking password hashes using rainbow tables
D) Encrypting passwords before storing them

✅ Answer: B
🔹 Explanation: Credential stuffing attacks use leaked username-password pairs from past breaches to try logging into other services.

---

83. What is an effective defense against credential stuffing attacks?

A) Using weak password hashing algorithms
B) Implementing rate-limiting and multi-factor authentication (MFA)
C) Allowing users to reuse old passwords
D) Disabling account lockouts

✅ Answer: B
🔹 Explanation: Rate-limiting and MFA prevent attackers from testing large numbers of credentials rapidly.

---

84. What is the recommended hashing function for modern password storage?

A) MD5
B) bcrypt or Argon2
C) SHA-1
D) DES

✅ Answer: B
🔹 Explanation: bcrypt and Argon2 are designed specifically for secure password hashing, incorporating work factors to slow down brute-force attacks.

---

85. How does salting prevent rainbow table attacks?

A) It makes all password hashes identical
B) It ensures that each password hash is unique, even if passwords are the same
C) It encrypts password hashes
D) It allows passwords to be reversed when needed

✅ Answer: B
🔹 Explanation: Salting ensures that identical passwords result in different hash values, making rainbow tables ineffective.

---

86. Why is it important to store password hashes instead of plaintext passwords?

A) To comply with cybersecurity regulations
B) To prevent unauthorized access if the database is compromised
C) To allow faster user authentication
D) To make brute-force attacks easier

✅ Answer: B
🔹 Explanation: Storing only password hashes ensures that even if the database is stolen, attackers cannot see plaintext passwords.

---

87. What should an organization do if they are using a weak password hashing function?

A) Immediately migrate to a stronger hashing function like Argon2 or bcrypt
B) Increase password length requirements without changing the hashing function
C) Store passwords as encrypted text instead
D) Keep the existing function but enforce frequent password resets

✅ Answer: A
🔹 Explanation: Weak hashing functions (e.g., MD5, SHA-1) should be replaced with secure ones like bcrypt or Argon2.

---

88. Why should password hashes not be reversible?

A) It increases password length
B) It prevents stored passwords from being revealed if the database is compromised
C) It speeds up authentication
D) It ensures compatibility with all systems

✅ Answer: B
🔹 Explanation: Non-reversible hashing ensures that passwords cannot be retrieved, even if the hashes are stolen.

---

89. Why is adding a delay after failed login attempts beneficial?

A) It prevents users from logging in
B) It discourages brute-force attacks by increasing the time required for each guess
C) It makes the hashing algorithm more efficient
D) It replaces the need for multi-factor authentication

✅ Answer: B
🔹 Explanation: Delays after failed logins slow down brute-force attempts, making automated attacks less effective.

---

90. How does multi-factor authentication (MFA) enhance password security?

A) It replaces the need for passwords
B) It adds an extra layer of security by requiring additional verification
C) It allows users to use shorter passwords
D) It prevents brute-force attacks completely

✅ Answer: B
🔹 Explanation: MFA requires users to verify their identity using multiple factors, reducing the risk of compromised passwords.

---

91. What is the biggest risk of allowing users to set weak passwords?

A) Weak passwords cannot be hashed properly
B) Weak passwords increase the risk of brute-force and credential stuffing attacks
C) Weak passwords make password hashing slower
D) Weak passwords are easier to encrypt

✅ Answer: B
🔹 Explanation: Weak passwords are easy to guess or brute-force, making user accounts vulnerable to attacks.

---

92. Why should developers avoid implementing custom password hashing algorithms?

A) Custom algorithms can be more secure than standard ones
B) Most custom implementations are vulnerable to cryptographic weaknesses
C) Custom algorithms are easier to use than bcrypt or Argon2
D) Custom implementations do not require salting

✅ Answer: B
🔹 Explanation: Cryptographic algorithms require extensive testing, and custom implementations often introduce security flaws.

---

93. How does a slow hashing algorithm protect user passwords?

A) It reduces password length requirements
B) It prevents hash collisions
C) It makes brute-force attacks computationally expensive
D) It allows easy password recovery

✅ Answer: C
🔹 Explanation: Slow hashing functions (bcrypt, Argon2) increase the time required for each password guess, making brute-force attacks less practical.

---

94. What is a good practice when implementing password reset functionality?

A) Sending the user’s original password via email
B) Allowing users to retrieve their old password
C) Generating a unique, time-limited password reset token
D) Storing passwords using symmetric encryption

✅ Answer: C
🔹 Explanation: Password reset tokens should be unique, time-limited, and securely transmitted to prevent unauthorized access.

---

95. How can an organization ensure that users create strong passwords?

A) By forcing frequent password changes
B) By setting minimum complexity rules and a password strength meter
C) By allowing short passwords for ease of use
D) By storing passwords in plaintext

✅ Answer: B
🔹 Explanation: Password complexity rules and strength meters encourage users to create strong, unpredictable passwords.

---

96. What is one downside of enforcing overly complex password rules?

A) Users may write down their passwords, increasing security risks
B) Passwords become easier to guess
C) It prevents the use of special characters
D) It makes hashing more efficient

✅ Answer: A
🔹 Explanation: If password rules are too strict, users may write down passwords or use patterns, reducing security.

---

97. How does password hashing differ from encryption?

A) Encryption is one-way, while hashing is reversible
B) Hashing is one-way and cannot be reversed, while encryption can be decrypted
C) Hashing and encryption are the same
D) Encryption does not require keys

✅ Answer: B
🔹 Explanation: Hashing is a one-way function that cannot be reversed, whereas encryption allows decryption with a key.

---

98. Why should password hashes be updated when upgrading to a stronger algorithm?

A) To make authentication faster
B) To ensure old passwords remain compatible
C) To improve password security against new attacks
D) To reduce database storage size

✅ Answer: C
🔹 Explanation: As computing power increases, older hash functions become weaker, so migrating to stronger algorithms is necessary.

---

99. How can a password manager improve security?

A) By generating and storing strong, unique passwords for each site
B) By storing plaintext passwords for easy retrieval
C) By requiring users to memorize multiple complex passwords
D) By encrypting user passwords before hashing

✅ Answer: A
🔹 Explanation: Password managers generate and store strong, unique passwords, preventing users from reusing weak passwords.

---

100. Why is hashing passwords multiple times (key stretching) useful?

A) It makes password cracking significantly more time-consuming
B) It allows passwords to be reversed when needed
C) It reduces memory usage
D) It eliminates the need for salts

✅ Answer: A
🔹 Explanation: Key stretching increases computational cost, making brute-force attacks much harder.

---

101. Why is using a hash function with a fixed output length important?

A) It ensures faster processing
B) It prevents brute-force attacks
C) It provides a consistent hash size regardless of input length
D) It allows hash decryption when needed

✅ Answer: C
🔹 Explanation: A fixed output length ensures consistent storage and processing of hashed passwords.

---

102. How can two-factor authentication (2FA) help protect hashed passwords?

A) It prevents all password-related attacks
B) It forces users to change passwords regularly
C) It requires an additional factor beyond the password to authenticate users
D) It makes password hashing unnecessary

✅ Answer: C
🔹 Explanation: 2FA adds an extra layer of security, making stolen passwords alone insufficient for account access.

---

103. Why should password reset links be time-limited?

A) To prevent an attacker from using an old reset link to hijack accounts
B) To reduce database storage
C) To allow passwords to expire automatically
D) To make password resets faster

✅ Answer: A
🔹 Explanation: Time-limited reset links prevent attackers from reusing stolen reset links.

---

104. How does an attacker typically obtain a hashed password database?

A) By brute-forcing every password in the system
B) By exploiting security vulnerabilities like SQL injection
C) By requesting password hashes from the administrator
D) By guessing all passwords manually

✅ Answer: B
🔹 Explanation: SQL injection and misconfigured servers are common ways attackers steal password hash databases.

---

105. How does rate limiting help prevent brute-force attacks?

A) It makes password hashing faster
B) It blocks repeated failed login attempts
C) It allows unlimited login attempts for authorized users
D) It hashes passwords multiple times

✅ Answer: B
🔹 Explanation: Rate limiting blocks excessive login attempts, reducing the effectiveness of brute-force attacks.

---

106. Why is a common password policy mistake allowing users to reuse old passwords?

A) Reused passwords are easier to remember
B) Previously compromised passwords can be used by attackers
C) It reduces password hashing speed
D) It improves system performance

✅ Answer: B
🔹 Explanation: If users reuse old passwords, attackers can use leaked credentials from past breaches.

---

107. What is a hybrid attack in password cracking?

A) A combination of brute-force and dictionary attacks
B) An attack that requires two separate login attempts
C) A method of encrypting password hashes
D) A technique to store passwords securely

✅ Answer: A
🔹 Explanation: A hybrid attack combines brute-force and dictionary attacks, trying common words with slight variations.

---

108. Why should user passwords never be stored using Base64 encoding?

A) Base64 encoding is not a cryptographic function and can be easily reversed
B) Base64 hashes passwords securely
C) Base64 prevents brute-force attacks
D) Base64 is the best method for encrypting passwords

✅ Answer: A
🔹 Explanation: Base64 is an encoding method, not a cryptographic function, meaning it can be easily reversed.

---

109. What is a best practice for handling multiple failed login attempts?

A) Allow unlimited retries
B) Lock the account permanently
C) Introduce a progressive delay for each failed attempt
D) Require users to create a new password

✅ Answer: C
🔹 Explanation: Progressive delays after failed logins slow down brute-force attacks while allowing legitimate users to retry.

---

110. What is one major benefit of using passkeys instead of passwords?

A) Passkeys replace passwords with cryptographic authentication, eliminating the risk of password leaks
B) Passkeys are easier to remember
C) Passkeys increase brute-force attack efficiency
D) Passkeys use MD5 to store passwords securely

✅ Answer: A
🔹 Explanation: Passkeys use public-key cryptography for authentication, eliminating the need to store and hash passwords.

---

111. What is the best practice for verifying a password entered by a user during login?

A) Compare the plaintext password directly with the stored hash
B) Hash the entered password and compare it with the stored hash
C) Encrypt the entered password and compare it with the stored encrypted value
D) Store both the plaintext password and its hash for validation

✅ Answer: B
🔹 Explanation: Passwords should always be hashed before storing and compared against the stored hash during login.

---

112. What is a major risk of using outdated hashing algorithms like SHA-1?

A) They generate large hash values
B) They are susceptible to collision attacks, allowing attackers to generate the same hash from different inputs
C) They require excessive computational resources
D) They do not support password salting

✅ Answer: B
🔹 Explanation: SHA-1 is vulnerable to collision attacks, meaning two different inputs can generate the same hash, weakening security.

---

113. What should be done if a user enters an incorrect password multiple times?

A) Lock the account permanently
B) Introduce exponential backoff (progressive delay) for each failed attempt
C) Allow unlimited retries
D) Immediately delete the user’s account

✅ Answer: B
🔹 Explanation: Progressive delay increases wait time after multiple failed attempts, reducing the risk of brute-force attacks.

---

114. What is an effective way to prevent password spraying attacks?

A) Using the same password for multiple accounts
B) Implementing account lockout after multiple failed login attempts
C) Using weak passwords for faster authentication
D) Storing passwords in plaintext

✅ Answer: B
🔹 Explanation: Password spraying tries common passwords across many accounts, so account lockouts or login attempt restrictions help mitigate this.

---

115. Why is it important to generate a random salt for each user password?

A) It makes hashing faster
B) It ensures identical passwords produce different hash values
C) It allows easy password recovery
D) It reduces storage space requirements

✅ Answer: B
🔹 Explanation: A unique salt prevents identical passwords from having the same hash, protecting against rainbow table attacks.

---

116. What is the main function of a password hashing algorithm?

A) To encrypt passwords for later decryption
B) To transform passwords into a fixed-length string that cannot be reversed
C) To store passwords in plaintext for easier access
D) To speed up authentication processes

✅ Answer: B
🔹 Explanation: Hashing is a one-way function that converts passwords into a fixed-length irreversible string.

---

117. What is a common vulnerability when developers use weak or predictable salts?

A) The password hash becomes longer
B) Attackers can still use precomputed hash attacks
C) Password verification becomes slower
D) It makes the system incompatible with encryption algorithms

✅ Answer: B
🔹 Explanation: If salts are weak or predictable, attackers can precompute hashes, making it easier to crack passwords.

---

118. What is a common characteristic of a good password hashing function?

A) It should be as fast as possible
B) It should be slow and computationally expensive
C) It should generate short hashes for efficient storage
D) It should allow password retrieval

✅ Answer: B
🔹 Explanation: Good password hashing functions (bcrypt, Argon2, PBKDF2) are intentionally slow, making brute-force attacks more difficult.

---

119. Why should hashed passwords never be sent via email to users?

A) Email servers store passwords securely
B) Email transmission is often unencrypted, exposing sensitive data
C) Hashed passwords can be easily decrypted
D) Email clients automatically hash passwords for security

✅ Answer: B
🔹 Explanation: Emails are often transmitted in plaintext, making sending password hashes via email highly insecure.

---

120. What is a common mistake when implementing password hashing?

A) Using a unique salt for each user
B) Using bcrypt with a high work factor
C) Hashing passwords without a salt
D) Storing password hashes in a secure database

✅ Answer: C
🔹 Explanation: Hashing passwords without a salt makes them vulnerable to rainbow table attacks.

---

121. What is the main benefit of using an adaptive hashing algorithm like bcrypt?

A) It supports encryption of passwords
B) It allows the computational difficulty to be increased over time
C) It reduces storage requirements
D) It eliminates the need for salts

✅ Answer: B
🔹 Explanation: Adaptive hashing functions allow difficulty to be increased, keeping up with advancements in computing power.

---

122. Which type of attack attempts common passwords across multiple accounts?

A) Brute-force attack
B) Dictionary attack
C) Password spraying attack
D) SQL injection attack

✅ Answer: C
🔹 Explanation: Password spraying tests a few common passwords against many user accounts, avoiding account lockouts.

---

123. Why is it important to hash security questions and answers?

A) To prevent users from forgetting their security answers
B) To ensure security answers are stored securely, like passwords
C) To speed up authentication processes
D) To allow security answers to be retrieved when needed

✅ Answer: B
🔹 Explanation: Security questions can be guessed or leaked, so they should be hashed like passwords to prevent misuse.

---

124. What is a key advantage of using Argon2 over PBKDF2?

A) Argon2 is much faster than PBKDF2
B) Argon2 is memory-hard, making GPU-based attacks more difficult
C) PBKDF2 does not support password hashing
D) PBKDF2 generates shorter hash values

✅ Answer: B
🔹 Explanation: Argon2 is memory-hard, making GPU/ASIC-based attacks significantly harder compared to PBKDF2.

---

125. Why should developers use well-tested cryptographic libraries instead of writing their own hashing functions?

A) Custom functions are more secure
B) Cryptographic libraries have been tested and audited for security vulnerabilities
C) Custom implementations are easier to maintain
D) Hashing passwords does not require security best practices

✅ Answer: B
🔹 Explanation: Well-tested cryptographic libraries are rigorously audited, ensuring higher security than custom implementations.

---

126. What is the primary reason for enforcing a password expiration policy?

A) To prevent long-term use of compromised passwords
B) To increase user frustration
C) To reduce storage space
D) To make authentication faster

✅ Answer: A
🔹 Explanation: Frequent password changes help mitigate risks if credentials are leaked but should be balanced with usability.

---

127. How does an attacker benefit from leaked password hashes?

A) They can directly log in to user accounts
B) They can perform offline brute-force attacks to retrieve plaintext passwords
C) They can encrypt the hashes for protection
D) They can use the hashes as passwords directly

✅ Answer: B
🔹 Explanation: If attackers steal password hashes, they can attempt brute-force attacks offline to recover plaintext passwords.

---

128. What is an effective defense against users choosing weak passwords?

A) Allowing users to choose any password for convenience
B) Implementing password strength policies and real-time feedback
C) Storing passwords in plaintext for easy verification
D) Using reversible encryption instead of hashing

✅ Answer: B
🔹 Explanation: Password strength policies and feedback mechanisms guide users to create stronger passwords.

---

129. What is one way to securely store user passwords without hashing?

A) Store passwords in an encrypted format
B) Store passwords as plaintext for easier retrieval
C) Store passwords in Base64 encoding
D) There is no secure way to store passwords without hashing

✅ Answer: D
🔹 Explanation: Passwords should always be hashed because even encrypted passwords can be decrypted if compromised.

---

130. Why should password hints be avoided?

A) They make passwords easier to crack
B) They increase hashing speed
C) They reduce storage requirements
D) They help users remember passwords securely

✅ Answer: A
🔹 Explanation: Password hints provide attackers with clues, making guessing passwords easier.

---

131. What is a primary reason why organizations enforce password complexity rules?

A) To make passwords harder to remember
B) To increase entropy and reduce the likelihood of brute-force attacks
C) To make password hashing faster
D) To ensure users reuse the same password across multiple platforms

✅ Answer: B
🔹 Explanation: Password complexity rules enforce strong passwords, increasing entropy and reducing vulnerability to brute-force attacks.

---

132. Why should security questions NOT be used as a primary authentication method?

A) They make passwords harder to guess
B) The answers are often easily guessed or found through social engineering
C) They are stored securely with encryption
D) They cannot be reset once forgotten

✅ Answer: B
🔹 Explanation: Security questions can often be guessed or obtained through social engineering, making them a weak authentication method.

---

133. How does using unique salts for each password help security?

A) It ensures different users have different hash values even if they use the same password
B) It makes passwords recoverable if forgotten
C) It speeds up brute-force attacks
D) It allows multiple users to share the same password hash

✅ Answer: A
🔹 Explanation: Unique salts ensure identical passwords generate different hashes, preventing rainbow table attacks.

---

134. Which type of hashing function should be avoided for password storage?

A) MD5
B) Argon2
C) bcrypt
D) PBKDF2

✅ Answer: A
🔹 Explanation: MD5 is fast and insecure, making it vulnerable to brute-force and collision attacks.

---

135. How can an organization reduce the risk of credential reuse attacks?

A) Allow users to set the same password across multiple services
B) Implement unique password requirements and encourage password managers
C) Store passwords in plaintext for easy verification
D) Allow short, simple passwords for ease of use

✅ Answer: B
🔹 Explanation: Unique password policies and password managers help users avoid reusing passwords, reducing credential reuse attacks.

---

136. What is a key limitation of increasing password complexity requirements?

A) Users may write down passwords or reuse them in multiple places
B) It makes brute-force attacks easier
C) It prevents password hashing
D) It eliminates the need for multi-factor authentication

✅ Answer: A
🔹 Explanation: Overly complex password requirements can lead to users writing down passwords or reusing them, which introduces security risks.

---

137. Why should password hashing be performed on the server instead of the client?

A) The server has better computational resources
B) Hashing on the client allows attackers to see the hash before transmission
C) The client does not support hashing algorithms
D) The server can generate shorter password hashes

✅ Answer: B
🔹 Explanation: Hashing on the client exposes the hash to attackers before transmission, making man-in-the-middle attacks possible.

---

138. Why are weak hashing functions a security risk?

A) They require excessive memory
B) They allow hashes to be reversed easily or cracked quickly
C) They do not support encryption
D) They require multi-factor authentication

✅ Answer: B
🔹 Explanation: Weak hashing functions (e.g., MD5, SHA-1) can be cracked quickly, making them unsuitable for password storage.

---

139. What is the purpose of using salts in password hashing?

A) To make stored hashes longer
B) To ensure the same password does not produce the same hash across different users
C) To make hashing faster
D) To replace the need for multi-factor authentication

✅ Answer: B
🔹 Explanation: Salting prevents identical passwords from having the same hash, reducing the effectiveness of precomputed attacks.

---

140. What is the most secure way to implement password authentication?

A) Storing passwords in plaintext for quick retrieval
B) Using bcrypt or Argon2 with a unique salt for each password
C) Storing passwords with symmetric encryption
D) Using MD5 for fast password verification

✅ Answer: B
🔹 Explanation: bcrypt and Argon2 are recommended password hashing algorithms that slow down brute-force attacks and use salting for added security.

---

141. Why is it important to set a reasonable maximum password length?

A) It prevents denial-of-service attacks using extremely long passwords
B) It ensures passwords are easy to remember
C) It makes brute-force attacks easier
D) It speeds up password hashing

✅ Answer: A
🔹 Explanation: Attackers may try denial-of-service (DoS) attacks by submitting extremely long passwords to slow down authentication systems.

---

142. How does a slow hashing function improve security?

A) It prevents brute-force attacks by increasing the time required for each attempt
B) It allows faster login attempts
C) It reduces password complexity requirements
D) It eliminates the need for salts

✅ Answer: A
🔹 Explanation: Slow hashing functions like bcrypt and Argon2 increase the time needed for brute-force attempts, making attacks more difficult.

---

143. Why is hashing better than encrypting passwords for storage?

A) Hashes are irreversible, while encrypted passwords can be decrypted
B) Hashing allows passwords to be recovered if forgotten
C) Hashing makes password retrieval faster
D) Encryption does not require keys

✅ Answer: A
🔹 Explanation: Hashing is a one-way function, meaning even if an attacker steals the hash, they cannot retrieve the original password.

---

144. How can an attacker bypass password hashing security?

A) By stealing the password hashes and performing offline cracking
B) By encrypting the hashes
C) By storing passwords in Base64 encoding
D) By using two-factor authentication

✅ Answer: A
🔹 Explanation: If an attacker gains access to password hashes, they can attempt offline brute-force attacks to crack passwords.

---

145. Why is password length more important than complexity?

A) Longer passwords have higher entropy, making them harder to crack
B) Complexity makes passwords easier to guess
C) Longer passwords allow for weaker hashing
D) Password length prevents rainbow table attacks

✅ Answer: A
🔹 Explanation: Longer passwords have greater entropy, meaning they are significantly harder to brute-force.

---

146. How can an organization protect against users choosing weak passwords?

A) Implement password strength policies and encourage password managers
B) Allow users to set any password they want
C) Store weak passwords with stronger hashes
D) Use faster hashing algorithms

✅ Answer: A
🔹 Explanation: Password strength policies and password managers help users create stronger, more secure passwords.

---

147. What is a key risk of using predictable salts?

A) It allows hash collisions
B) Attackers can precompute hash values for common passwords
C) It makes password hashing slower
D) It eliminates brute-force attacks

✅ Answer: B
🔹 Explanation: Predictable salts enable attackers to precompute hash values, reducing the security benefits of salting.

---

148. Why should password resets require identity verification?

A) To prevent attackers from resetting user passwords
B) To store passwords securely
C) To make password hashing faster
D) To increase brute-force resistance

✅ Answer: A
🔹 Explanation: Verifying a user’s identity before resetting their password prevents unauthorized account takeovers.

---

149. What is an advantage of using passphrases instead of passwords?

A) Passphrases are longer and have higher entropy, making them harder to brute-force
B) Passphrases can be stored in plaintext
C) Passphrases eliminate the need for hashing
D) Passphrases are easier to brute-force

✅ Answer: A
🔹 Explanation: Passphrases are longer and contain more randomness, making them significantly harder to brute-force or guess.

---

150. What is a common attack that targets stored password hashes?

A) SQL injection
B) Offline brute-force attacks
C) Man-in-the-middle attacks
D) Denial-of-service (DoS) attacks

✅ Answer: B
🔹 Explanation: Offline brute-force attacks involve attackers stealing password hashes and attempting to crack them offline.

---

151. What is the best practice for hashing administrator passwords differently from regular users?

A) Using a separate, stronger hashing algorithm for administrator accounts
B) Storing administrator passwords in plaintext for faster access
C) Encrypting administrator passwords instead of hashing them
D) Using a weaker hashing algorithm for administrators to speed up login

✅ Answer: A
🔹 Explanation: Administrator accounts require stronger security measures, including stronger password hashing functions to prevent privilege escalation in case of a breach.

---

152. What is a key reason to avoid using sequential numbers or dictionary words in passwords?

A) They make hashing algorithms run slower
B) They are more susceptible to dictionary and brute-force attacks
C) They increase password entropy
D) They make password recovery easier

✅ Answer: B
🔹 Explanation: Passwords that use dictionary words or sequences (e.g., “123456” or “password”) are easy to guess, making them highly vulnerable to attacks.

---

153. Why should developers avoid using hardcoded passwords in applications?

A) Hardcoded passwords cannot be hashed
B) They can be easily extracted from source code or binaries
C) They make brute-force attacks harder
D) They provide an extra layer of security

✅ Answer: B
🔹 Explanation: Hardcoded passwords are a major security risk because they can be extracted from application binaries or configuration files.

---

154. What type of attack exploits weak password reset mechanisms?

A) Credential stuffing attack
B) Password spraying attack
C) Account recovery attack
D) SQL injection attack

✅ Answer: C
🔹 Explanation: Account recovery attacks exploit weak or improperly secured password reset functions, such as security questions that can be guessed.

---

155. What is an effective way to store salts securely?

A) Store them in a separate database from the password hashes
B) Encrypt them using the same key as the password hashes
C) Use the same salt for every user to simplify storage
D) Do not store salts at all

✅ Answer: A
🔹 Explanation: Storing salts separately from password hashes makes it harder for attackers to use precomputed attacks if they gain database access.

---

156. What is one advantage of using a password manager?

A) It automatically encrypts stored passwords using public-key cryptography
B) It helps users generate and store strong, unique passwords
C) It allows the use of shorter passwords
D) It eliminates the need for multi-factor authentication

✅ Answer: B
🔹 Explanation: Password managers help users create and store unique, strong passwords, reducing the risk of password reuse attacks.

---

157. Why should user accounts be temporarily locked after multiple failed login attempts?

A) To prevent users from logging in again
B) To slow down brute-force and password spraying attacks
C) To encourage users to choose simpler passwords
D) To force password resets

✅ Answer: B
🔹 Explanation: Account lockouts prevent attackers from attempting unlimited password guesses, slowing down brute-force attacks.

---

158. What is the primary advantage of using Argon2 over bcrypt?

A) Argon2 is designed to be memory-hard, making it resistant to GPU-based attacks
B) Argon2 hashes passwords faster than bcrypt
C) Argon2 does not require a salt
D) Argon2 uses a weaker algorithm to save computation time

✅ Answer: A
🔹 Explanation: Argon2 is memory-hard, meaning it requires significant RAM to compute hashes, making it more resistant to GPU-based attacks than bcrypt.

---

159. What is a common security risk associated with password hints?

A) They allow passwords to be encrypted more securely
B) They often reveal too much information, making passwords easier to guess
C) They make brute-force attacks impossible
D) They make hashing algorithms more efficient

✅ Answer: B
🔹 Explanation: Password hints can give attackers clues that make guessing passwords easier.

---

160. What is the best method for enforcing strong passwords in an application?

A) Requiring a minimum length and complexity rules
B) Allowing users to reuse passwords for convenience
C) Allowing only alphanumeric characters in passwords
D) Using a fixed set of preapproved passwords

✅ Answer: A
🔹 Explanation: Enforcing minimum length and complexity rules ensures stronger passwords, making brute-force attacks more difficult.

---

161. Why should users avoid using the same password for multiple accounts?

A) It makes password management easier
B) It increases the risk of credential stuffing attacks
C) It makes hashing passwords faster
D) It prevents brute-force attacks

✅ Answer: B
🔹 Explanation: If one password is compromised, attackers can use it to gain access to multiple accounts (credential stuffing attacks).

---

162. Why is SHA-3 not widely used for password hashing?

A) It does not support salting
B) It is designed for general cryptographic hashing, not for password hashing
C) It is faster than bcrypt and Argon2
D) It has known security vulnerabilities

✅ Answer: B
🔹 Explanation: SHA-3 is a cryptographic hash function designed for general hashing purposes, not password hashing, which requires additional security features like work factors.

---

163. What is a recommended security practice for multi-user authentication systems?

A) Store the same password hash for multiple users
B) Use a unique salt for each password
C) Allow users to set short passwords for faster authentication
D) Disable two-factor authentication for ease of access

✅ Answer: B
🔹 Explanation: Each user’s password should have a unique salt, preventing precomputed attack methods like rainbow tables.

---

164. How does multi-factor authentication (MFA) enhance password security?

A) It eliminates the need for passwords
B) It adds an additional verification step beyond the password
C) It makes passwords easier to remember
D) It speeds up login authentication

✅ Answer: B
🔹 Explanation: MFA requires an extra verification step, such as a one-time code or biometric authentication, reducing the risk of password compromise.

---

165. What is one major security risk of storing password hashes in a misconfigured cloud database?

A) The database can be accessed by unauthorized users
B) Hashing passwords in the cloud slows down authentication
C) Passwords cannot be recovered if lost
D) The cloud database does not support hashing algorithms

✅ Answer: A
🔹 Explanation: Misconfigured cloud databases can expose sensitive data, including hashed passwords, to unauthorized users.

---

166. What is the impact of using a very low cost factor for bcrypt?

A) It makes password hashing too fast, allowing rapid brute-force attacks
B) It increases hashing security
C) It makes password storage more efficient
D) It prevents password resets

✅ Answer: A
🔹 Explanation: A low cost factor in bcrypt allows rapid brute-force attacks, reducing security.

---

167. What is the purpose of “key stretching” in password security?

A) To expand weak passwords into longer ones
B) To slow down brute-force attacks by adding multiple hashing iterations
C) To make password hashes shorter for storage
D) To encrypt passwords instead of hashing them

✅ Answer: B
🔹 Explanation: Key stretching (e.g., in PBKDF2, bcrypt, Argon2) increases computational effort, making brute-force attacks more difficult.

---

168. How does a “pepper” improve password security?

A) It adds an additional secret key that is not stored in the database
B) It replaces the need for salts
C) It speeds up password verification
D) It eliminates the need for hashing

✅ Answer: A
🔹 Explanation: A pepper is an extra secret key added to the password before hashing, making database breaches less effective.

---

169. Why should applications enforce password uniqueness when users reset their password?

A) To ensure users do not reuse compromised passwords
B) To reduce database storage size
C) To allow easy recovery of old passwords
D) To speed up hashing processes

✅ Answer: A
🔹 Explanation: Enforcing password uniqueness prevents users from reusing previously compromised passwords.

---

170. What is the most effective way to secure password hashes from future attacks?

A) Regularly update to stronger hashing algorithms as technology advances
B) Use MD5 for fast password hashing
C) Store hashes in plaintext for easy access
D) Allow users to store their passwords in a document

✅ Answer: A
🔹 Explanation: As computing power increases, upgrading to stronger hashing algorithms (bcrypt, Argon2) ensures long-term security.

---

171. What is the primary risk of using outdated password hashing algorithms like SHA-1?

A) They produce longer hash values
B) They are vulnerable to precomputed and collision attacks
C) They require too much storage space
D) They cannot be used in cloud environments

✅ Answer: B
🔹 Explanation: SHA-1 is vulnerable to collision and precomputed attacks, making it unsuitable for secure password hashing.

---

172. How does an attacker benefit from gaining access to a password hash database?

A) They can immediately log in using the hashed passwords
B) They can attempt offline brute-force attacks on the hashes
C) They can decrypt the hashes with a simple key
D) They can disable multi-factor authentication

✅ Answer: B
🔹 Explanation: If an attacker obtains hashed passwords, they can perform offline brute-force attacks to try and recover plaintext passwords.

---

173. What is one reason bcrypt is preferred over SHA-256 for password hashing?

A) bcrypt is faster than SHA-256
B) bcrypt is memory-hard, making it resistant to brute-force attacks
C) bcrypt does not require salting
D) bcrypt allows password retrieval

✅ Answer: B
🔹 Explanation: bcrypt is intentionally slow and resistant to GPU-based attacks, unlike SHA-256, which is too fast for secure password storage.

---

174. Why should password hashes not be stored in log files?

A) Logs are often stored in plaintext and may be accessible to attackers
B) Logs automatically encrypt stored hashes
C) Logs allow for easier password recovery
D) Logs require a separate database

✅ Answer: A
🔹 Explanation: Logs are often stored in plaintext and may be accessible to unauthorized users, leading to security breaches.

---

175. Why is MD5 not recommended for password hashing?

A) It is too slow for modern systems
B) It generates unpredictable hash values
C) It is vulnerable to fast brute-force attacks and collisions
D) It does not work with long passwords

✅ Answer: C
🔹 Explanation: MD5 is fast and has known collision vulnerabilities, making it insecure for password storage.

---

176. Why is a fixed salt across all passwords a security risk?

A) It reduces storage requirements
B) It allows attackers to precompute hashes for all users
C) It speeds up password hashing
D) It ensures passwords can be decrypted

✅ Answer: B
🔹 Explanation: If all users share the same salt, attackers can generate precomputed tables (rainbow tables) for cracking multiple hashes.

---

177. What is a security concern when implementing password reset functionality?

A) Sending reset links via email without expiration
B) Requiring users to enter their old password before resetting
C) Using challenge questions instead of email verification
D) Forcing users to reset passwords every 30 days

✅ Answer: A
🔹 Explanation: Reset links should have expiration times to prevent attackers from using old links to gain unauthorized access.

---

178. Why should an organization use a dedicated password hashing library instead of writing its own hashing function?

A) Custom hashing functions are more secure
B) Well-tested libraries are more resistant to attacks and vulnerabilities
C) Hashing functions do not require security best practices
D) Custom implementations are easier to manage

✅ Answer: B
🔹 Explanation: Dedicated password hashing libraries are thoroughly tested for security vulnerabilities, making them safer than custom implementations.

---

179. How does a work factor in bcrypt improve security?

A) It makes password hashing faster
B) It increases the time required to compute a hash, slowing brute-force attacks
C) It allows passwords to be decrypted easily
D) It reduces storage requirements for hashes

✅ Answer: B
🔹 Explanation: The work factor increases bcrypt’s computational cost, making brute-force attacks more difficult over time.

---

180. Why should developers avoid limiting the character set for user passwords?

A) It prevents users from using passwords that are easy to remember
B) It reduces the entropy of passwords, making them easier to crack
C) It makes brute-force attacks impossible
D) It increases the efficiency of password hashing

✅ Answer: B
🔹 Explanation: Restricting character sets reduces password entropy, making passwords more predictable and easier to crack.

---

181. What is the role of memory-hard functions in password hashing?

A) They reduce the length of hashed passwords
B) They increase the cost of brute-force attacks by requiring significant memory usage
C) They allow passwords to be stored in plaintext
D) They eliminate the need for salts

✅ Answer: B
🔹 Explanation: Memory-hard functions like Argon2 make it difficult for attackers to use specialized hardware (e.g., GPUs) for password cracking.

---

182. What is a potential risk of allowing users to copy and paste passwords into input fields?

A) It makes hashing less secure
B) It allows malware to intercept passwords from the clipboard
C) It reduces the entropy of passwords
D) It prevents brute-force attacks

✅ Answer: B
🔹 Explanation: Malicious software can monitor and steal copied passwords from the clipboard, posing a security risk.

---

183. Why should applications avoid displaying specific error messages for failed login attempts?

A) It slows down brute-force attacks
B) It prevents attackers from identifying valid usernames or passwords
C) It makes login forms harder to use
D) It increases database storage requirements

✅ Answer: B
🔹 Explanation: Generic error messages prevent attackers from distinguishing between invalid usernames and incorrect passwords, reducing enumeration attacks.

---

184. What is a common mistake when migrating from an old password hashing algorithm to a new one?

A) Hashing the old hashes instead of users’ actual passwords
B) Requiring users to reset their passwords
C) Using an outdated algorithm for backward compatibility
D) Encrypting all old hashes before storing them

✅ Answer: A
🔹 Explanation: Re-hashing an already hashed password does not improve security, as the original weak hash remains vulnerable.

---

185. Why should an application enforce minimum password length requirements?

A) Longer passwords increase entropy and make brute-force attacks harder
B) Short passwords are harder to remember
C) Longer passwords make hashing faster
D) Minimum length requirements reduce database storage needs

✅ Answer: A
🔹 Explanation: Longer passwords provide higher entropy, making brute-force attacks more difficult.

---

186. How does credential stuffing differ from brute-force attacks?

A) Credential stuffing tests known username-password pairs from previous breaches
B) Credential stuffing uses random character combinations
C) Credential stuffing targets only administrator accounts
D) Credential stuffing only works against hashed passwords

✅ Answer: A
🔹 Explanation: Credential stuffing uses leaked username-password pairs to try logging into other services.

---

187. What is one way to improve password hashing performance while maintaining security?

A) Use a hardware security module (HSM) for hashing
B) Use MD5 instead of bcrypt
C) Store passwords in plaintext for faster authentication
D) Reduce the salt length

✅ Answer: A
🔹 Explanation: HSMs can handle cryptographic operations efficiently while maintaining high security standards.

---

188. Why should password managers generate random passwords for users?

A) To ensure each password is unique and highly resistant to attacks
B) To speed up password hashing
C) To simplify the authentication process
D) To make password recovery easier

✅ Answer: A
🔹 Explanation: Randomly generated passwords prevent users from choosing weak or reused passwords, increasing security.

---

189. What is a key advantage of passkeys over traditional passwords?

A) Passkeys use public-key cryptography, eliminating the need for stored passwords
B) Passkeys can be decrypted easily
C) Passkeys allow users to reuse passwords across multiple sites
D) Passkeys work only on local devices

✅ Answer: A
🔹 Explanation: Passkeys use asymmetric cryptography, making them more secure than traditional passwords.

---

190. What is a good security measure for protecting password reset tokens?

A) Hashing the reset token before storing it
B) Sending the token in plaintext via email
C) Allowing the reset token to be used indefinitely
D) Storing the reset token in the browser cache

✅ Answer: A
🔹 Explanation: Reset tokens should be hashed before storage to prevent unauthorized use if leaked.

---

191. What is a key difference between Argon2 and PBKDF2?

A) Argon2 is memory-hard, while PBKDF2 is not
B) PBKDF2 is designed for password hashing, while Argon2 is not
C) Argon2 does not use salts, while PBKDF2 does
D) PBKDF2 is slower than Argon2

✅ Answer: A
🔹 Explanation: Argon2 is memory-hard, meaning it requires significant RAM to execute, making it more resistant to brute-force attacks compared to PBKDF2.

---

192. What is a common mistake when implementing password hashing in web applications?

A) Using a hashing algorithm specifically designed for passwords
B) Implementing password hashing without salting
C) Storing password hashes instead of plaintext passwords
D) Using Argon2 for hashing passwords

✅ Answer: B
🔹 Explanation: Without salting, identical passwords generate the same hash, making attacks like rainbow table attacks easier.

---

193. How can organizations ensure users create strong, unique passwords?

A) Allow users to reuse their last five passwords
B) Implement password strength meters and enforce complexity rules
C) Store passwords in plaintext for easy validation
D) Allow only numerical passwords for easier entry

✅ Answer: B
🔹 Explanation: Password strength meters and complexity rules encourage users to create strong passwords, reducing security risks.

---

194. What is an important consideration when selecting a password hashing algorithm?

A) The algorithm should be as fast as possible
B) The algorithm should be resistant to brute-force attacks
C) The algorithm should store passwords in plaintext
D) The algorithm should not use salts

✅ Answer: B
🔹 Explanation: A secure password hashing algorithm (e.g., bcrypt, Argon2) should be computationally expensive, making brute-force attacks impractical.

---

195. Why should an application prevent pasting passwords into login forms?

A) To prevent users from using password managers
B) To reduce the risk of clipboard-based attacks
C) To make logging in faster
D) To require users to memorize passwords

✅ Answer: B
🔹 Explanation: Preventing pasting in login fields helps reduce the risk of malware stealing copied passwords from the clipboard.

---

196. What is the biggest risk of using static salts instead of unique salts per user?

A) It increases password complexity
B) It makes brute-force attacks more difficult
C) It allows attackers to precompute hashes for known passwords
D) It eliminates the need for hashing

✅ Answer: C
🔹 Explanation: A static salt does not prevent attackers from precomputing hash values for common passwords, making them vulnerable to rainbow table attacks.

---

197. What is a significant downside of requiring frequent password changes?

A) It reduces brute-force attack attempts
B) It encourages users to choose weaker passwords
C) It strengthens overall system security
D) It speeds up authentication

✅ Answer: B
🔹 Explanation: Frequent password changes can lead users to create predictable, weaker passwords or reuse variations, reducing security.

---

198. How does rate-limiting help protect against password cracking attempts?

A) It prevents all password attacks
B) It forces users to reset their passwords after failed attempts
C) It slows down repeated failed login attempts, making brute-force attacks impractical
D) It hashes passwords faster

✅ Answer: C
🔹 Explanation: Rate-limiting reduces the effectiveness of brute-force attacks by restricting login attempts per user/IP address.

---

199. What is the main reason organizations should implement two-factor authentication (2FA)?

A) It replaces the need for password hashing
B) It prevents all password-related attacks
C) It adds an additional layer of security in case passwords are compromised
D) It makes logging in faster

✅ Answer: C
🔹 Explanation: 2FA ensures that even if an attacker steals a password, they still need an additional factor (e.g., OTP, biometric) to access the account.

---

200. How can developers ensure that stored password reset tokens are secure?

A) Hash the token before storing it in the database
B) Store the token in plaintext for easy retrieval
C) Allow tokens to be reused multiple times
D) Set tokens to never expire

✅ Answer: A
🔹 Explanation: Hashing reset tokens before storage ensures that even if the database is compromised, attackers cannot use the tokens directly.