[&] How can a brute force attack reveal the presence of an account lockout mechanism?
- By triggering a change in server hardware
- By observing a consistent failure message
- By detecting changes in authentication response time
- By noticing account accessibility is halted after a number of failed attempts -- Correct

[&] When testing for weak lockout mechanisms, which tool is used to perform directory and file brute forcing?
- Searchsploit
- Dirb -- Correct
- Burp Suite
- Foxy Proxy

[&] Why might a web application use a manual unlock process by an administrator?
- To simplify the process of authentication
- To add an extra layer of security for sensitive accounts -- Correct
- To increase user convenience and support ticket flow
- To allow for automatic resets of all user accounts

[&] In bypassing a weak account lockout mechanism, what might an empty password field exploit?
- A server-side malfunction leading to denial of service
- A vulnerability that disregards authentication checks -- Correct
- A client-side script error preventing login
- A configuration error in the login script

[&] What role does rate limiting play in preventing account lockout bypass?
- It provides a cooldown period between successive logins
- It limits the number of failed login attempts over time -- Correct
- It restricts the number of concurrent sessions
- It blocks all access after a single failed attempt

[&] What is an account lockout mechanism primarily designed to prevent?
- Unauthorized data access
- Repeated failed authentication attempts -- Correct
- Server overload from multiple requests
- Credential storage in plain text