GCIH · Question #639
A security examiner has been given permission by senior management to conduct a password audit. What should she make sure of after the process?
The correct answer is A. Cracked passwords are removed from the system. After a password audit, all cracked passwords must be immediately removed or reset to remediate the identified vulnerabilities and prevent exploitation.
Question
A security examiner has been given permission by senior management to conduct a password audit. What should she make sure of after the process?
Options
- ACracked passwords are removed from the system
- BAcceptability rules are defined as the audit happens
- CUsers can change passwords at their discretion
- DCracked passwords are stored on the system
How the community answered
(26 responses)- A96% (25)
- C4% (1)
Why each option
After a password audit, all cracked passwords must be immediately removed or reset to remediate the identified vulnerabilities and prevent exploitation.
A password audit's value lies in identifying weak credentials that an attacker could also crack; leaving those passwords active after discovery means the vulnerability remains open and the audit accomplished nothing from a risk-reduction standpoint. Once cracked passwords are identified, they must be removed or forced to reset so that the window of exposure is closed before a malicious actor can leverage the same techniques to gain unauthorized access.
Password acceptability rules and audit criteria must be defined and approved before the audit begins, not formulated during the process, to ensure the scope and methodology are authorized and consistent.
Leaving the decision to change passwords entirely to users after weak credentials are discovered does not guarantee timely remediation and keeps the organization exposed for an indefinite period.
Retaining cracked passwords on the system creates a secondary security risk by leaving a record of compromised credentials accessible to anyone who gains access to that system.
Concept tested: Password audit post-process remediation steps
Source: https://csrc.nist.gov/publications/detail/sp/800-63b/final
Topics
Community Discussion
No community discussion yet for this question.