Exam SY0-501 topic 1 question 935 discussion

Error handling. The website is giving out information after an error has occurred that the threat actor can use to refine their attacks.

Username lockout: This is the most effective measure to thwart credential stuffing attacks. Here's how it works: Threshold: After a certain number of failed login attempts (typically 3-5) within a specified timeframe, the account is locked. Duration: The lockout period can vary, often lasting 15-30 minutes or longer. Reset: Users can typically reset their password or contact support to unlock their account.

According to the CompTIA book, the answer should be C: "Improper error handling: When software is not designed to properly handle errors, the result might be release of message and diagnostic information that is sensitive to the inner workings of the systems. This data can disclose details to an end user and allow an attacker to gain sufficient information to advance an attack."

the answer is B.

Error handling isn't something you "enable" lol

Why on earth would it be "error handling". This just assumes that the developer for some reason throws some exception if there's no match for a username or password, what a silly assumption, as this logic is generally done in the body of a method (but could be done either way). A very general code example would be: private Boolean isValidUser(String user, String password){ if(dao.verifyUser(user) && dao.verifyPassword(password){ return true; } else{ addMessage("Your credentials were not correct"); return false; } How is it possible that Comptia is taken seriously by anybody in this field?

and I can't determine if its D or C

is it Improper error handling or just error handling?

is username lockout the same as account lockout? "Account lockout keeps the account secure by preventing anyone or anything from guessing the username and password." so if that is the case then i would go with D.