A security administrator is reviewing the below output from a password auditing tool: P@ss. @pW1. S3cU4 Which of the following additional policies should be implemented based on the tool’s output?
A. Password age B. Password history C. Password length D. Password complexity
Answer: C
Explanation: The output shows that all the passwords are either 4 or 5 characters long. This is way too short, 8 characters are shown to be the minimum for password length.
The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk?
A. Enforce password rules requiring complexity. B. Shorten the maximum life of account passwords. C. Increase the minimum password length. D. Enforce account lockout policies.
Answer: A
Explanation: Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.
A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO).
A. Password age B. Password hashing C. Password complexity D. Password history E. Password length
Answer: A,D
Explanation: D: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
A: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE).
A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
Answer: A,D,F
Explanation: A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:
F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.
D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. This will ensure that passwords don’t consist of dictionary words which are easy to crack using brute force techniques.
A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
The system administrator is tasked with changing the administrator password across all 2000 computers in the organization. Which of the following should the system administrator implement to accomplish this task?
A. A security group B. A group policy C. Key escrow D. Certificate revocation
Answer: B
Explanation: Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO’s include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings.
An organizations’ security policy requires that users change passwords every 30 days. After a security audit, it was determined that users were recycling previously used passwords. Which of the following password enforcement policies would have mitigated this issue?
A. Password history B. Password complexity C. Password length D. Password expiration
Answer: A
Explanation: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. However, without a minimum password age setting, the user could change his password six times and cycle back to his original password.
A security administrator would like to ensure that system administrators are not using the same password for both their privileged and non-privileged accounts. Which of the following security controls BEST accomplishes this goal?
A. Require different account passwords through a policy B. Require shorter password expiration for non-privileged accounts C. Require shorter password expiration for privileged accounts D. Require a greater password length for privileged accounts
Answer: A
Explanation: A password policy aka account policy enforcement can be configured in such a way so as to make sure that system administrators make use of different passwords for different accounts.
An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal?
A. Add reverse encryption B. Password complexity C. Increase password length D. Allow single sign on
Answer: B
Explanation: Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password’s length and complexity.
A security administrator is concerned about the strength of user’s passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords?
A. Increase the password length requirements B. Increase the password history C. Shorten the password expiration period D. Decrease the account lockout time
Answer: C
Explanation: Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn’t meet the compliance requirements of the company’s password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion. This will give online password attackers less time to crack the weak passwords.
Several employee accounts appear to have been cracked by an attacker. Which of the following should the security administrator implement to mitigate password cracking attacks? (Select TWO).
A. Increase password complexity B. Deploy an IDS to capture suspicious logins C. Implement password history D. Implement monitoring of logins E. Implement password expiration F. Increase password length
Answer: A,F
Explanation: The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult. Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks.