CISSP Question #603: Real Exam Question with Answer & Explanation

Question

Which of the following is the BEST defense against password guessing?

Options

• ALimit external connections to the network.
• BDisable the account after a limited number of unsuccessful attempts.
• CForce the password to be changed after an invalid password has been entered.
• DRequire a combination of letters, numbers, and special characters in the password.

Explanation

Account lockout policies are the most direct and effective countermeasure against password guessing and brute-force attacks by blocking access after repeated failures.

Common mistakes.

• A. Limiting external connections may reduce the attack surface from remote threats but does not prevent insider password guessing attempts or attacks originating from within the permitted network segments.
• C. Forcing a password change after an invalid entry is not a standard or practical security control and would cause severe usability issues while not actually stopping an attacker from continuing to guess the new password.
• D. Requiring complex passwords (letters, numbers, special characters) increases the search space for guessing attacks but does not directly prevent an attacker from making unlimited guessing attempts over time.

Concept tested. Account lockout policy as brute-force defense

Reference. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy

No community discussion yet for this question.