Password complexity | Exam Premium

CompTIA Security+ Question G-29

A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE).

A. Account lockout
B. Account expiration
C. Screen locks
D. Password complexity
E. Minimum password lifetime
F. Minimum password length

Answer: A,D,F

Explanation:
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.

The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:

F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.

D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. This will ensure that passwords don’t consist of dictionary words which are easy to crack using brute force techniques.

A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.

CompTIA Security+ Question G-26

The system administrator is tasked with changing the administrator password across all 2000 computers in the organization. Which of the following should the system administrator implement to accomplish this task?

A. A security group
B. A group policy
C. Key escrow
D. Certificate revocation

Answer: B

Explanation:
Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO’s include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings.

CompTIA Security+ Question G-13

An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO).

A. Length of password
B. Password history
C. Minimum password age
D. Password expiration
E. Password complexity
F. Non-dictionary words

Answer: B,C

Explanation:
In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password.

Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.

When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.

CompTIA Security+ Question G-11

An organizations’ security policy requires that users change passwords every 30 days. After a security audit, it was determined that users were recycling previously used passwords. Which of the following password enforcement policies would have mitigated this issue?

A. Password history
B. Password complexity
C. Password length
D. Password expiration

Answer: A

Explanation:
Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. However, without a minimum password age setting, the user could change his password six times and cycle back to his original password.

CompTIA Security+ Question F-36

Which of the following practices reduces the management burden of access management?

A. Password complexity policies
B. User account audit
C. Log analysis and review
D. Group based privileges

Answer: D

Explanation:
Granting permissions to all members of a group is quicker than individually assigning them to each user. This means an administrator will spend less time on assigning permissions to users who require the same access privileges.

CompTIA Security+ Question E-86

An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal?

A. Add reverse encryption
B. Password complexity
C. Increase password length
D. Allow single sign on

Answer: B

Explanation:
Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password’s length and complexity.

CompTIA Security+ Question E-30

A security administrator is concerned about the strength of user’s passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords?

A. Increase the password length requirements
B. Increase the password history
C. Shorten the password expiration period
D. Decrease the account lockout time

Answer: C

Explanation:
Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn’t meet the compliance requirements of the company’s password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion. This will give online password attackers less time to crack the weak passwords.

CompTIA Security+ Question E-14

A recent review of accounts on various systems has found that after employees’ passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO).

A. Reverse encryption
B. Minimum password age
C. Password complexity
D. Account lockouts
E. Password history
F. Password expiration

Answer: B,E

Explanation:
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.

B: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.

CompTIA Security+ Question D-11

Several employee accounts appear to have been cracked by an attacker. Which of the following should the security administrator implement to mitigate password cracking attacks? (Select TWO).

A. Increase password complexity
B. Deploy an IDS to capture suspicious logins
C. Implement password history
D. Implement monitoring of logins
E. Implement password expiration
F. Increase password length

Answer: A,F

Explanation:
The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult. Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks.

CompTIA Security+ Question C-37

A security administrator wants to check user password complexity. Which of the following is the
BEST tool to use?

A. Password history
B. Password logging
C. Password cracker
D. Password hashing

Answer: C

Explanation:
The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Password-cracking tools compare hashes from potential passwords with the hashes stored in the accounts database. Each potential password is hashed, and that hash value is compared with the accounts database. If a match is found, the password-cracker tool has discovered a password for a user account.