CompTIA Security Plus Mock Test Q989

A network administrator, Joe, arrives at his new job to find that none of the users have changed their network passwords since they were initially hired. Joe wants to have everyone change their passwords immediately. Which of the following policies should be enforced to initiate a password change?

A. Password expiration
B. Password reuse
C. Password recovery
D. Password disablement


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
The Maximum password age policy setting determines the number of days that a password can be used before the system requires the user to change it. The password expiration
setting determines that a user will not be able to log into a system without changing their password after the maximum password age has been reached.

Incorrect Answers:
B: Password reuse policies (also known as password history) determine the number of previous passwords that cannot be used when a user changes his password. For example, a
password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. This does not force a user to change their password. Therefore, this
answer is incorrect.
C: Password recovery is the process of recovering a lost or forgotten password. This usually involves an administrator resetting the password as most passwords are stored as hash
values so the actual password cannot be determined. This does not force a user to change their password. Therefore, this answer is incorrect.
D: Password disablement (also known as account disablement) is the process of locking or disabling a user account. A disabled account cannot be logged into but can be re-enabled
when required. When a user will be gone from a company for a while (maternity leave, for example), their account should be disabled until they return. This does not force a user to
change their password. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 140-141.

CompTIA Security Plus Mock Test Q942

After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO).

A. Recovery
B. User assigned privileges
C. Lockout
D. Disablement
E. Group based privileges
F. Password expiration
G. Password complexity


Correct Answer: F,G
Section: Access Control and Identity Management

Explanation:
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some
character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days.

Incorrect Answers:
A: Recovery of a password requires that the password storage mechanism be reversible or that passwords be stored in multiple ways. Requiring passwords to be changed is more
secure than recovering them.
B: User assigned privileges can be assigned by the user. It will not ensure that all credentials must be changed within 90 days.
C: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. The question states: “All
credentials will remain enabled regardless of the number of attempts made.”
D: Disablement automatically disables a user account or causes the account to expire at a specific time and on a specific day. It will not ensure that all credentials must be changed
within 90 days.
E: Group-based privileges grants each group member the same level of access to a certain object. It will not ensure that all credentials must be changed within 90 days.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292-294