A storage as a service company implements both encryption at rest as well as encryption in transit of
customers’ data. The security administrator is concerned with the overall security of the encrypted customer
data stored by the company servers and wants the development team to implement a solution that will
strengthen the customer’s encryption key. Which of the following, if implemented, will MOST increase the time
an offline password attack against the customers’ data would take?

A.
key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) }

B.
password = NULL ; for (int i=0; i<10000; i++) { password = sha256(key) }

C.
password = password + sha(password+salt) + aes256(password+salt)

D.
key = aes128(sha256(password), password))