A security engineer is asked by the company’s development team to recommend the most secure
method for password storage.
Which of the following provide the BEST protection against brute forcing stored passwords?
(Select TWO).

A.
PBKDF2

B.
MD5

C.
SHA2

D.
Bcrypt

E.
AES

F.
CHAP

Explanation:
A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies
some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a
derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over
time, the iteration count can be increased to make it slower, so it remains resistant to brute-force
search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex,
Indianapolis, 2014, pp 109-110, 139, 143, 250, 255-256, 256