How do you prevent brute-force password attacks?
Rate limit login (5 attempts per 15 min per IP and per email). Lock the account temporarily after too many failures. Use a slow hash (bcrypt, argon2) so each attempt is expensive for attackers.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Password Security Interview Questions and Answers
Because if the database is leaked, plain-text passwords expose every user. People reuse passwords, so one leak breaks other accounts. Hashing turns passwords into irreversible strings, so a leak does not reveal the passwords.
SHA-256 is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. bcrypt is slow on purpose and has a salt built in, making brute-force expensive.
A random value added to the password before hashing. It ensures two users with the same password get different hashes. Prevents rainbow table attacks. bcrypt and argon2 handle salting automatically.
Still have questions?
Browse all our FAQs or reach out to our support team
