Rebecca is registering for her website hosting account and has been prompted to pick a strong password. It must include letter, numbers, special characters, and be at least 8 characters long. What king of security threat is her internet service provider trying to prevent with this requirement?

The requirement targets preventing brute-force password guessing. By forcing a mix of letters, numbers, special characters, and a minimum length, the amount of possible passwords—the search space—becomes much larger. That higher entropy makes each guess far more work for an attacker and slows down or thwarts automated guessing attempts, especially when combined with account lockouts or rate limits. SQL injection would involve tricking a website into running unintended database commands, which isn’t about guessing passwords. A Denial of Service attack aims to overwhelm a service with traffic or requests, not to crack passwords. Social engineering exploits people’s trust to reveal credentials, rather than guessing them through automated trials. So the password policy is most effective against brute-force attacks.