CompTIA Security Plus Mock Test Q983

An organizations’ security policy requires that users change passwords every 30 days. After a security audit, it was determined that users were recycling previously used passwords. Which of the following password enforcement policies would have mitigated this issue?

A. Password history
B. Password complexity
C. Password length
D. Password expiration


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a
user from changing his password to any of his previous 5 passwords. However, without a minimum password age setting, the user could change his password six times and cycle back
to his original password.

Incorrect Answers:
B: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. It will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.
C: Password length determines the minimum number of characters your password should contain.It will not prevent users from changing their passwords multiple times to cycle back
to their original passwords. Therefore, this answer is incorrect.
D: Password expiration determines how long a password can be used for before it must be changed. Password expiration will force users to change their passwords but it will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.

References:
https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh

CompTIA Security Plus Mock Test Q982

A recent review of accounts on various systems has found that after employees’ passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO).

A. Reverse encryption
B. Minimum password age
C. Password complexity
D. Account lockouts
E. Password history
F. Password expiration

Correct Answer: B,E
Section: Access Control and Identity Management

Explanation:
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow
a user from changing his password to any of his previous 5 passwords.
B: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password
history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is
the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the
same password for at least 30 days.

Incorrect Answers:
A: Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. This will not prevent users from changing their passwords multiple
times to cycle back to their original passwords. Therefore, this answer is incorrect.
C: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. It will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.
D: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. Account lockout settings will
not prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.
F: Password expiration determines how long a password can be used for before it must be changed. Password expiration will force users to change their passwords but it will not
prevent users from changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer is incorrect.

References:
https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh

CompTIA Security Plus Mock Test Q961

An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO).

A. Length of password
B. Password history
C. Minimum password age
D. Password expiration
E. Password complexity
F. Non-dictionary words


Correct Answer: B,C
Section: Access Control and Identity Management

Explanation:
In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password.
Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a
user from changing his password to any of his previous 5 passwords.
When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every
six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back
round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30
would determine that when a user changes his password, he must continue to use the same password for at least 30 days.

Incorrect Answers:
A: The length of password determines how many characters a password must contain. It will not prevent users from changing their passwords multiple times to cycle back to their
original passwords.
D: Password expiration determines how long a password can be used for before it must be changed. In this question, the password expiration is 6 weeks. Password expiration will
force users to change their passwords but it will not prevent users from changing their passwords multiple times to cycle back to their original passwords.
E: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. . It will not
prevent users from changing their passwords multiple times to cycle back to their original passwords.
F: Non-dictionary words is a setting that determines that a password should not be a word that can be found in a dictionary. This is to prevent a “dictionary attack” where software can
be used to attempt to access a system by using the words of a dictionary as the password.

References:
https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh

CompTIA Security Plus Mock Test Q950

A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access. Which of the following is the BEST approach to implement this process?

A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site.
B. Require the customer to physically come into the company’s main office so that the customer can be authenticated prior to their password being reset.
C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password.
D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.


Correct Answer: D
Section: Access Control and Identity Management

Explanation:
People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the
time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.

Incorrect Answers:
A: Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of
which is typically something memorized, such as a security code. But in this case the problem stems from a forgotten password.
B: Requiring customers to physically come in to the company’s main office is not a viable option – what if the customer is on a different continent?
C: Emailing customers their forgotten password is risky as the email can be intercepted, a forgotten password is best being eliminated from the system as a forgotten password if still
active can compromise your business as well as your customers.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 139, 142

CompTIA Security Plus Mock Test Q946

A security administrator is concerned about the strength of user’s passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords?

A. Increase the password length requirements
B. Increase the password history
C. Shorten the password expiration period
D. Decrease the account lockout time



Correct Answer: C

Section: Access Control and Identity Management

Explanation:
Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn’t meet the compliance
requirements of the company’s password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system
intrusion. This will give online password attackers less time to crack the weak passwords.

Incorrect Answers:
A: Increasing the password length will not make the new passwords less susceptible to online password attackers.
B: Password history tracks previous passwords to prevent password reuse. It will not make the new passwords less susceptible to online password attackers.
D: Account lockout automatically disables an account due to repeated failed log on attempts. When the account is unlocked it will still have the same weak password, and still
susceptible to online password attacks.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292-294

CompTIA Security Plus Mock Test Q945

Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning?

A. A recent security breach in which passwords were cracked.
B. Implementation of configuration management processes.
C. Enforcement of password complexity requirements.
D. Implementation of account lockout procedures.

Correct Answer: A
Section: Access Control and Identity Management

Explanation:
A password only needs to be changed if it doesn’t meet the compliance requirements of the company’s password policy, or is evidently insecure. It will also need to be changed if it has
been reused, or due to possible compromise as a result of a system intrusion.

Incorrect Answers:
B: Configuration management provides visibility and control of a system’s performance, as well as its functional and physical attributes.
C: Password complexity normally requires a minimum of three out of four standard character types to be represented in the password. It would not require forcing expiration of all
company passwords by the close of business day.
D: Account lockout automatically disables an account due to repeated failed log on attempts. It would not require forcing expiration of all company passwords by the close of business
day.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292, 293
http://en.wikipedia.org/wiki/Configuration_management

CompTIA Security Plus Mock Test Q944

The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk?

A. Enforce password rules requiring complexity.
B. Shorten the maximum life of account passwords.
C. Increase the minimum password length.
D. Enforce account lockout policies.

Correct Answer: A
Section: Access Control and Identity Management

Explanation:
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some
character complexity, the more resistant it is to brute force attacks.

Incorrect Answers:
B: Reducing the maximum life of account passwords will require passwords to be changed at the end of that period. This will not make the new passwords less susceptible to brute
force attacks.
C: Increasing the password length will not make the new passwords less susceptible to brute force attacks.
D: Account lockout automatically disables an account due to repeated failed log on attempts. It will not make the new passwords less susceptible to brute force attacks.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292, 293

CompTIA Security Plus Mock Test Q938

An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO).

A. Password Complexity
B. Password Expiration
C. Password Age
D. Password Length
E. Password History

Correct Answer: A,D
Section: Access Control and Identity Management

Explanation:
Passwords should have the strength to avoid discovery through attack, but it should also be easy enough for the user to remember. The length and complexity of a password
combined are vital factors in defining a password’s strength.

Incorrect Answers:
B, C: It is common practice for passwords to automatically expire after a specified period so as to compel users to change passwords. However, if it is a strong password, it can remain
static.
E: Password History tracks previous passwords so as to prevent password reuse.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292, 293

CompTIA Security Plus Mock Test Q921

An organization has introduced token-based authentication to system administrators due to risk of password compromise. The tokens have a set of numbers that automatically change every 30 seconds. Which of the following type of authentication mechanism is this?

A. TOTP
B. Smart card
C. CHAP
D. HOTP


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. In this case, it’s every 30 seconds.

Incorrect Answers:
B: A smart card is sometimes referred to as an identity token containing integrated circuits. It does not generate passwords based on time.
C: The Challenge-Handshake Authentication Protocol (CHAP) is used primarily over dial-up connections to provide a secure transport mechanism for logon credentials. It does not
generate passwords based on time.
D: HMAC-based one-time password (HOTP) tokens are devices that generate passwords based on a nonrepeating one-way function.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 282,283