CompTIA Security Plus Mock Test Q531

Which of the following can be used by a security administrator to successfully recover a user’s forgotten password on a password protected file?

A. Cognitive password
B. Password sniffing
C. Brute force
D. Social engineering

Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
One way to recover a user’s forgotten password on a password protected file is to guess it. A brute force attack is an automated attempt to open the file by using many different passwords.
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security. A brute force attack may also be referred to as brute force cracking.
For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
An attack of this nature can be time- and resource-consuming. Hence the name “brute force attack;” success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm.

Incorrect Answers:
A: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question to verify their identity. To open the password protected file, we need the password that was used to protect the file.
B: Password sniffing is the process of capturing a password as it is transmitted over a network. As no one knows what the password for the protected file is, it won’t be transmitted over a network.
D: Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
A social engineer runs what used to be called a “con game.” For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network’s security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. Appealing to vanity, appealing to authority, appealing to greed, and old-fashioned eavesdropping are other typical social engineering techniques. As no one knows what the password for the protected file is, we can’t use social engineering to reveal the password.

References:
http://www.techopedia.com/definition/18091/brute-force-attack
http://searchsecurity.techtarget.com/definition/social-engineering