CISSP Question #1139: Real Exam Question with Answer & Explanation

Question

What is the BEST control to be implemented at a login page in a web application to mitigate the ability to enumerate users?

Options

• AImplement a generic response for a failed login attempt.
• BImplement a strong password during account registration.
• CImplement numbers and special characters in the user name.
• DImplement two-factor authentication (2FA) to login process.

Explanation

The best control to be implemented at a login page in a web application to mitigate the ability to enumerate users is to implement a generic response for a failed login attempt. User enumeration is a technique that allows an attacker to discover the valid usernames or email addresses of the users of a web application, by exploiting the differences in the responses or messages from the login page. For example, if the login page displays a specific message such as "Invalid username" or "Invalid password" when a user enters an incorrect username or password, the attacker can use this information to guess or brute-force the valid usernames or passwords. To prevent user enumeration, the login page should implement a generic response for a failed login attempt, such as "Invalid username or password", regardless of whether the username or password is incorrect. This way, the attacker cannot distinguish between the valid and invalid usernames or passwords, and cannot enumerate the users of the web application.

No community discussion yet for this question.