Exam 312-50v13 Topic 1 Question 501 Discussion
Actual exam question for ECCouncil's 312-50v13 exam
Question #: 501
Topic #: 1
Question #: 501
Topic #: 1
Under the neon glow of Seattle's skyline, ethical hacker Elena Vasquez slips into her role as a cybersecurity consultant for Cascade Financial's online banking platform. Tasked with probing the web server's defenses, Elena simulates a series of rapid login attempts to the admin portal. She notes that the system allows unlimited tries without locking the account, exposing a gap that could invite relentless password-guessing attacks. Determined to safeguard the bank's assets, Elena drafts a recommendation to fortify the server's authentication process against such threats.
What countermeasure should Elena recommend to strengthen Cascade Financial's web server against the vulnerability identified?
What countermeasure should Elena recommend to strengthen Cascade Financial's web server against the vulnerability identified?
Suggested Answer: C Vote an answer
The weakness described is a classic online password-guessing condition: the application permits unlimited authentication attempts without any throttling, lockout, or challenge mechanism. In CEH guidance, this exposure enables brute-force attacks and automated credential stuffing, where attackers rapidly test many passwords or reused credential pairs until successful. A practical and commonly recommended control at the web application layer is adding CAPTCHA challenges to the login workflow, especially after a small number of failed attempts or when anomalous behavior is detected. CAPTCHA increases the cost of automation by forcing human interaction, directly disrupting high-speed scripted guessing against the admin portal.
While implementing MFA is an excellent additional safeguard and is strongly encouraged for privileged access, the question asks for the best countermeasure to address the specific issue of unlimited rapid attempts.
CAPTCHA is a direct mitigation for automated login abuse, and CEH commonly pairs it with rate limiting, progressive delays, and account lockout policies. Periodic password changes do not prevent an attacker from guessing a password today, and CEH materials note that forced rotation can even reduce security if it drives predictable password patterns. Strong password hashing such as bcrypt, scrypt, or Argon2 is critical for protecting stored passwords if a database is compromised, but it does not stop online guessing against the login form itself. Therefore, the most fitting countermeasure for the identified vulnerability is using CAPTCHA challenges on login and registration pages, ideally combined with throttling and lockout for stronger defense in depth
While implementing MFA is an excellent additional safeguard and is strongly encouraged for privileged access, the question asks for the best countermeasure to address the specific issue of unlimited rapid attempts.
CAPTCHA is a direct mitigation for automated login abuse, and CEH commonly pairs it with rate limiting, progressive delays, and account lockout policies. Periodic password changes do not prevent an attacker from guessing a password today, and CEH materials note that forced rotation can even reduce security if it drives predictable password patterns. Strong password hashing such as bcrypt, scrypt, or Argon2 is critical for protecting stored passwords if a database is compromised, but it does not stop online guessing against the login form itself. Therefore, the most fitting countermeasure for the identified vulnerability is using CAPTCHA challenges on login and registration pages, ideally combined with throttling and lockout for stronger defense in depth
by Regan at Jun 17, 2026, 08:37 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).