A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against corporate credentials. Which of the following controls was being violated?
Answer: Password complexity
Password complexity is a measure of how difficult a password is to guess in relation to any number of guessing or cracking methods. For the security auditor to be able to successfully perform a dictionary attack, that means that the credentials were too predictable and was likely a common password.
It's true that a password length is more important than complexity, but in my guide from Darill Gibson there is no such thing as password length. It is mentioned but the complexity is the control that was violated
There is a strong argument for C but I’m sure that’s not it since 90% chose A. A dictionary attack can be a library of compromised passwords from other sites which users could use the same passwords across multiple accounts which would be a violation. But then again, restricting password reuse across multiple accounts from different platforms is likely not enforceable in most scenarios.
The security policy states that common words should not be used as passwords, which implies that the passwords should have certain complexity requirements to avoid using easily guessable passwords. A dictionary attack is an attempt to crack passwords by systematically trying words from a dictionary, and it can be successful when passwords lack complexity. By enforcing password complexity requirements, organizations aim to prevent attackers from using simple and common words as passwords.
passwords in common dictionary is not necessarily not complex. In the well-known "/usr/share/wordlists/rockyou.txt" dictionary, we can find passwords like "arisDAN13032008", "[email protected]"... So it`s about reuse, not about complexity.
According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of meaningless characters.
NIST has provided a number of additional recommendations for organizations to follow, some of which include:
- Passphrases should consist of 15 or more characters.
- Uppercase, lowercase, or special characters are not required.
- Only ask users to change their passwords if you believe your network has been compromised.
- Check all new passwords against a list of passwords that are frequently compromised.
- Avoid locking your users out of their accounts after a number of unsuccessful login attempts, as hackers will often try to flood networks by purposely trying incorrect passwords in order to lock users out of their accounts.
- Don’t allow password “hints.”
www.lepide.com
I'm inclined to go for option D
This might be true but it does not answer the question.
The question is: Which of the following controls was being violated?
When using a standard word you violate complexity control.
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rodwave
Highly Voted 2 years, 6 months agoLordJaraxxus
Most Recent 1 year, 2 months ago7308365
1 year, 4 months agojack35567
1 year, 6 months agoProtract8593
1 year, 10 months agotutita
2 years, 2 months agouser82
2 years, 1 month agoxxxdolorxxx
2 years, 4 months agoNICKJONRIPPER
2 years, 6 months agoSandon
2 years, 5 months agoGino_Slim
2 years, 7 months agoRonWonkers
2 years, 8 months agoAy_ma
2 years, 9 months agoRonWonkers
2 years, 8 months agouser82
2 years, 1 month agorhocale
2 years, 5 months agocomeragh
2 years, 9 months ago