CISSP · Question #603
Which of the following is the BEST defense against password guessing?
The correct answer is B. Disable the account after a limited number of unsuccessful attempts.. Account lockout policies are the most direct and effective countermeasure against password guessing and brute-force attacks by blocking access after repeated failures.
Question
Which of the following is the BEST defense against password guessing?
Options
- ALimit external connections to the network.
- BDisable the account after a limited number of unsuccessful attempts.
- CForce the password to be changed after an invalid password has been entered.
- DRequire a combination of letters, numbers, and special characters in the password.
How the community answered
(34 responses)- A6% (2)
- B76% (26)
- C3% (1)
- D15% (5)
Why each option
Account lockout policies are the most direct and effective countermeasure against password guessing and brute-force attacks by blocking access after repeated failures.
Limiting external connections may reduce the attack surface from remote threats but does not prevent insider password guessing attempts or attacks originating from within the permitted network segments.
Disabling or locking an account after a limited number of unsuccessful login attempts directly interrupts automated or manual password guessing attacks by preventing further attempts. This account lockout policy ensures that even a weak password cannot be guessed through repeated trials, as the attack vector is cut off before enough attempts can succeed. It is a standard security control defined in frameworks like NIST SP 800-63B and implemented via OS and directory service policies.
Forcing a password change after an invalid entry is not a standard or practical security control and would cause severe usability issues while not actually stopping an attacker from continuing to guess the new password.
Requiring complex passwords (letters, numbers, special characters) increases the search space for guessing attacks but does not directly prevent an attacker from making unlimited guessing attempts over time.
Concept tested: Account lockout policy as brute-force defense
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy
Topics
Community Discussion
No community discussion yet for this question.