ISC2 CISSP Practice Question

The correct answer is implementing credential lockout mechanisms with increasing delays between attempts.

Brute force attacks work by systematically trying every possible combination of characters until the correct password is found. The most effective defense against such attacks is to implement mechanisms that limit the rate at which an attacker can make authentication attempts. Credential lockout mechanisms that introduce increasing delays between successive failed login attempts significantly slow down brute force attacks, making them impractical to execute successfully.

While password complexity requirements (minimum length, special characters) do increase the potential keyspace an attacker must search, they don't prevent the attacker from making rapid consecutive attempts. Similarly, password expiration policies help against compromised credentials but don't directly prevent brute force attempts. Monitoring failed login attempts is useful for detection but is a detective rather than preventive control against brute force attacks.