An organization is moving its human resources system to a cloud services provider. The company plans to continue using internal usernames and passwords with the service provider, but the security manager does not want the service provider to have a company of the passwords. Which of the following options meets all of these requirements?
A. Two-factor authentication B. Account and password synchronization C. Smartcards with PINS D. Federated authentication
A system administrator must configure the company’s authentication system to ensure that users will be unable to reuse the last ten passwords within a six months period. Which of the following settings must be configured? (Select Two)
A. Minimum password age B. Password complexity C. Password history D. Minimum password length E. Multi-factor authentication F. Do not store passwords with reversible encryption
A recent review of accounts on various systems has found that after employees passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO)
A. Reverse encryption B. Minimum password age C. Password complexity D. Account lockouts E. Password history F. Password expiration
A programmer must write a piece of code to encrypt passwords and credit card information used by an online shopping cart. The passwords must be stored using one-way encryption, while credit card information must be stored using reversible encryption. Which of the following should be used to accomplish this task? (Select TWO)
A. SHA for passwords B. 3DES for passwords C. RC4 for passwords D. AES for credit cards E. MD5 for credit cards F. HMAC for credit cards
Company policy requires employees to change their passwords every 60 days. The security manager has verified all systems are configured to expire passwords after 60 days. Despite the policy and technical configuration, weekly password audits suggest that some employees have had the same weak passwords in place longer than 60 days. Which of the following password parameters is MOST likely misconfigured?
A. Minimum lifetime B. Complexity C. Length D. Maximum lifetime
Ann a network administrator has been tasked with strengthening the authentication of users logging into systems in area containing sensitive information. Users log in with usernames and passwords, following by a retinal scan. Which of the following could she implement to add an additional factor of authorization?
A. Requiring PII usage B. Fingerprint scanner C. Magnetic swipe cards D. Complex passphrases
A new client application developer wants to ensure that the encrypted passwords that are stored in their database are secure from cracking attempts. To implement this, the developer implements a function on the client application that hashes passwords thousands of times prior to being sent to the database. Which of the following did the developer MOST likely implement?
A. RIPEMD B. PBKDF2 C. HMAC D. ECDHE
Correct Answer: B Section: Cryptography
Password-Based Key Derivation Function 2 (PBKDF2) makes use of a hashing operation, an encryption cipher function, or an HMAC operation) on the input password, which is
combined with a salt and is repeated thousands of times.
A: RIPEMD is a hashing function, but does not hash passwords thousands of times sending it to the database.
C: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. It does not, however, hash passwords thousands of times sending it to
D: ECDHE provides both CRC integrity checks and RCA encryption.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 249, 254, 260, 343
Which of the following offers the LEAST secure encryption capabilities?
A. TwoFish B. PAP C. NTLM D. CHAP
Correct Answer: B Section: Cryptography
PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger
authentication protocol, like CHAP or EAP.
A: TwoFish provides stronger encryption compared to NTLM, CHAP and PAP. TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
TwoFish is related to the earlier block cipher Blowfish.
C: NTLM provides stronger encryption compared to CHAP and PAP. NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and
confidentiality to users. NTLM is being replaced by Kerberos.
D: CHAP provides a more secure encryption than PAP. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 139, 143, 251, 256
A network administrator, Joe, arrives at his new job to find that none of the users have changed their network passwords since they were initially hired. Joe wants to have everyone change their passwords immediately. Which of the following policies should be enforced to initiate a password change?
A. Password expiration B. Password reuse C. Password recovery D. Password disablement
Correct Answer: A Section: Access Control and Identity Management
The Maximum password age policy setting determines the number of days that a password can be used before the system requires the user to change it. The password expiration
setting determines that a user will not be able to log into a system without changing their password after the maximum password age has been reached.
B: Password reuse policies (also known as password history) determine the number of previous passwords that cannot be used when a user changes his password. For example, a
password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. This does not force a user to change their password. Therefore, this
answer is incorrect.
C: Password recovery is the process of recovering a lost or forgotten password. This usually involves an administrator resetting the password as most passwords are stored as hash
values so the actual password cannot be determined. This does not force a user to change their password. Therefore, this answer is incorrect.
D: Password disablement (also known as account disablement) is the process of locking or disabling a user account. A disabled account cannot be logged into but can be re-enabled
when required. When a user will be gone from a company for a while (maternity leave, for example), their account should be disabled until they return. This does not force a user to
change their password. Therefore, this answer is incorrect.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 140-141.