What should be implemented to mitigate the risk of password brute-force attacks?

A.  Password rotation

B.  Password complexity

C.  Account lockout

D.  Multi-factor authentication

Answer:  C

A. Password Rotation
Password rotation requires users to change their passwords at set intervals (e.g., every 90 days).

The Goal: It limits the "lifespan" of a compromised credential. If an attacker steals a password but doesn't use it immediately, rotation makes that stolen data useless after the interval passes.

Why it's incorrect here: Rotation does nothing to stop an automated script from trying 10,000 passwords in five minutes. In fact, many modern security frameworks (like NIST) now discourage frequent forced rotation because it leads to users choosing weaker, predictable passwords (e.g., Spring2026!, Summer2026!).

B. Password Complexity
Complexity rules require a mix of uppercase, lowercase, numbers, and symbols.

The Goal: It increases the entropy of the password, significantly expanding the "keyspace" an attacker must search through.

Why it's incorrect here: While complexity makes a brute-force attack take longer mathematically, it does not stop the attack from happening. An attacker can still hammer the login portal with millions of attempts; they just have a lower probability of success per attempt.

C. Account Lockout
Account lockout is a threshold-based control that disables an account after a specific number of failed attempts (e.g., 5 failed logins).

Why it's the Answer: This is the most direct technical mitigation for online brute-force attacks. By locking the account, you strip the attacker of their ability to continue guessing. It forces a "cool-down" period or requires administrative intervention, effectively neutralizing automated guessing tools.

The Trade-off: Be aware that account lockout can be used by attackers to trigger a Denial of Service (DoS) against legitimate users by intentionally failing logins for known usernames. To counter this, many organizations now use "progressive delays" or "CAPTCHAs" instead of a hard lockout.

D. Multi-Factor Authentication (MFA)
MFA requires a second factor (like a TOTP code or a push notification) to complete the login.

The Nuance: While MFA is the best overall defense for account security, the question asks what specifically mitigates the brute-force attack itself.

The Distinction: If an attacker successfully brute-forces a password, MFA stops them from accessing the account. However, the "brute-force" part of the attack (the guessing of the password) was still successful. Account lockout is the specific mechanism designed to break the guessing process.

Key Takeaway for the CISSP Exam
Brute-Force Variations:

• Online Brute-Force: Attacking a live login page. Mitigated by Account Lockout.
• Offline Brute-Force: Attacking a stolen database of hashes. Mitigated by Salting and Key Stretching (making each guess computationally expensive).
• Credential Stuffing: Using passwords leaked from other sites. Mitigated by MFA.