A security engineer is asked by the company’s development team to recommend the most secure method for
Which of the following provide the BEST protection against brute forcing stored passwords? (Choose two.)
A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function
(like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides incorporating a salt
to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be
increased to make it slower, so it remains resistant to brute-force search attacks even with increasing
The bcrypt function is the default password hash algorithm for BSD and many other systems.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014,
pp. 109-110, 139, 143, 250, 255-256, 256