Authentication and Authorization
Terms in this set (107)
________ takes place when you are presenting credentials to a system to indicate exactly who you are with respect to the system
_______, also called authenticators, are the pieces of information you present to the system to assert your identity
_______ is the process of verifying that the credentials presented are valid and that they do indeed belong to a user authorized to access the system.
The credentials are validated against a database of user credentials, and if those credentials match, the user is allowed to access the system and is said to be ______________.
______________ covers the rights, permissions, and privileges that a user has only after he has been successfully authenticated to a system
What are the authentication factors?
1) Something You Know
2) Something You Have
3) Something You Are
4) Something You Do
5) Somewhere You Are
What is the the most common example of multifactor authentication?
The use of smart cards and PIN combinations
What is a false rejection rate?
- also known as a type I error.
- relates to the error caused from rejecting someone who is in fact an authorized user and should be authenticated in a biometric system
What is a false acceptance rate?
- type II error
- indicates the level of errors that the system may generate indicating that unauthorized users are actually identified and authenticated as valid users in a biometric system
crossover error rate
the point at which the system must be tuned to reduce both types of errors effectively without increasing either one of them
A transitive trust usually means that the organization trusts another entity simply because they are trusted by someone else that the organization trusts
A federated system involves the use of a common authentication system and credentials database that multiple entities use and share.
This ensures that a user's credentials in Company A would be acceptable in Company B and Company C, and only access permissions would be the determining factor in accessing systems and data.
Windows Active Directory is a good example of a federated system in practice; user credentials from different domains could be used in other domains if they are all part of the same Active Directory forest.
- the process of determining who gets what type of access to systems and data
- part of an access control policy, which relates to how the organization determines who gets access to what systems and data based upon the sensitivity of those systems and data
access control policy
- dictates how an organization handles its authorization processes
- Data sensitivity policies also dictate authorization
- organization's stance on the principle of least privilege, how duties are separated and divided among key personnel
principle of least privilege
- granting only the level of access someone needs to do her job, and no more than that
- a person should get the minimum access to systems and data required to complete her daily duties
- applies not only to being able to view and interact with data; it also applies to actions users can take with respect to the system and the network
separation of duties
- involves dividing up critical or security-related tasks and responsibilities among two or more individuals, rather than allowing one individual to perform an excessive number of powerful tasks
- When implemented, critical or security-related tasks can't all be performed by one individual without checks and balances from other individuals
- This reduces the likelihood of malicious behavior on the part of any single individual. It also ensures that no one individual can cause catastrophic damage to systems and data within the organization.
What is the difference between right/privilege and permissions?
- Rights and privileges involve what a user can or cannot do on a system;
- permissions apply to what can or cannot be done to a resource.
access control list (ACL)
- a physical or logical list that details the specific access levels an individual may have to an object such as a shared file or folder.
- In some cases, an ACL may also tell what type of actions a user may take on a system or network.
- ACLs are used in many different contexts in security
access control model
Authorization within a network or system is based upon an organization's access control model, a logical model that details exactly how users can interact with systems and data of various sensitivities.
Mandatory access control (MAC)
- a model often found in highly secure environments, such as defense or financial systems.
- a user is granted access to a particular system or data based upon his security clearance level.
- Data is assigned different labels that designate its sensitivity and the security clearance required to access it.
- based upon their need-to-know requirements.
Even on the same system, users who have the requisite security clearances don't always get access to all of the data at the same clearance level; each user's job requirements must also indicate a valid need to access the data.
- MAC models -- confidentiality or integrity models. A confidentiality model emphasizes protection against unauthorized access, and an integrity model emphasizes the need to protect all data from unauthorized modification.
Discretionary access control (DAC)
- most users encounter on a normal basis.
- Microsoft Windows,Mac OS and Linux systems, typically use DAC in both standalone and network environments.
- user (OWNER) who has created or owns an objec --> has the discretion to assign permissions to that object as she sees fit.
- Administrator-level access isn't required to assign permissions
- very flexible model, and owners can assign rights, permissions, and privileges both to individuals and groups of users, which can be logically created in the system based upon different functional or security needs.
Rule-based access control
- rarely seen as a standalone type of access control model
- usually part of MAC model
- all accesses granted in the system are based upon predefined rules, which might include restrictions on when, how, where, and under what circumstances a user may access a particular system or resource.
Ex: business hours of 8 A.M. and 11 A.M only the accounting department may have write access to a particular database, but between 1 P.M. and 4 P.M., users in accounting, marketing, and production may have read and write access to the database
- example of rule-based access control is that used in more advanced firewalls, which lists a series of rules that users, network devices, hosts, and network traffic must meet in order to access other hosts and resources on the network.
Role-based access control (RBAC)
- exclusively uses predefined roles, versus groups or users. - These predefined roles must already exist in the system
- users must be assigned to these roles to have the access levels granted to the roles.
- not discretionary in that the creator or owner resource cannot necessarily assign a user to a particular role simply to give him access.
- Normally an administrative-level user must assign a user to a role.
- Roles might include supervisory roles, administrative roles, management roles, or data change roles that have an increased level of access to systems, data, or other objects.
Single Sign-On (SSO)
- the ability to use the same set of credentials throughout an enterprise
- requires that the infrastructure have interoperable technologies as well as centralized account management and authentication throughout the enterprise --> KERBEROS
- enables you to access resources throughout the enterprise, without requiring an additional set of credentials
- Single sign-on is implemented in Windows environments using the Kerberos authentication protocol.
Security Assertion Markup Language (SAML)
- a standardized method of transferring information about authenticating users to an authentication service
- an open standard that uses XML as its markup language format.
- It's usually seen in web-based applications
- uses three types of information: the principal (the authenticating user), the identity provider, and the service provider
one-time password (OTP)
- generated and used only once, and it is never repeated again
- Usually generated for secure communication sessions, and these will be generated by the system
- they are typically generated by tokens or mobile devices to facilitate multifactor authentication.
time-based one-time password (TOTP)
- uses time as a factor to assist in generating the OTP
- prevention of replay attacks
- they are typically generated by tokens or mobile devices to facilitate multifactor authentication.
HMAC-based One-Time Password (HOTP) algorithm
- One algorithm used to generate OTPs
- user is authenticated against the centralized authentication database, and the HMAC value is calculated by the authentication server and sent to the user via an authentication device such as a token
Password Authentication Protocol (PAP)
- older type of protocol
-->seen with older dial-up remote connection methods
--> Point-to-Point Protocol - PPP
- protocol used to pass usernames and passwords to a central authentication server
- passes usernames and password unsecurely
- not secure and has been deprecated
Challenge-Handshake Authentication Protocol (CHAP)
- Internet standard method of authenticating users or a host to a centralized authentication server
- periodically reauthenticates clients during a session; this process uses a three-way handshake.
- prevent replay attacks and also enables the user to authenticate without directly sending his password over non-secure network connections
- CHAP relies on challenge-responses and hashes passwords, as do other modern protocols. This ensures that passwords or other user credentials are never sent over the network in clear text.
Explain the process of CHAP
1st - Client requests authentication
2nd - authentication server sends a challenge message to the user or host. The user inputs his password, and the system hashes the combination of the password and challenge together, using a one-way hash function.
3rd - The host then sends this hashed response back to the authentication server.
4th - The authentication server, which knows the user's password, repeats the hashing process with the password and challenge, and produces its own hash value. If the hash values match, then the authentication server knows that the user input the correct password and the user can be authenticated. If the hash values do not match, authentication fails.
LAN Manager (LANMAN) protocol
- developed and included in Microsoft Windows NT.
- hashes passwords but are easily broken if they are obtained by an attacker.
- LANMAN was disabled by default starting in Windows Vista and shouldn't be used
NT LAN Manager (NTLM)
- created by Microsoft to replace LANMAN
- very non-secure protocol
- replaced by NTLM version 2 (v2)
- Both versions are challenge-response authentication protocols and work similarly to CHAP
When is NTLMv2 is used over Kerberos?
Understand the situations when Windows will default to using NTLM v2 instead of Kerberos for its authentication protocol. Usually this occurs in situations where there is no AD environment and the host is communicating in a workgroup setup.
- a network authentication protocol that is prominently used in Active Directory implementations.
- created by Massachusetts Institute of Technology (MIT)
- implemented as a centralized, single sign-on authentication mechanism.
- It is an open standard, supported officially as an Internet standard
- uses a system based on authentication tickets and timestamps that are issued out to the authenticated user
- TCP and UDP ports 88, and it uses symmetric key cryptography
What are the Kerberos components?
- Kerberos Key Distribution Center (KDC)
- Authentication Service (AS)
- Ticket-Granting Service (TGS)
True or False: Proper time is critical in Kerberos.
True - Kerberos uses a system based on authentication tickets and timestamps that are issued out to the authenticated user. Timestamps help prevent replay attacks because the tickets expire after a short time and must be refreshed, requiring that the user be reauthenticated and the ticket reissued.
True or False: An infrastructure using Kerberos doesn't need an authoritative time source
FALSE - Kerberos's timestamps rely heavily on authoritative time sources throughout the network architecture, so many implementations also provide for a network time server. If clients are outside a certain tolerance for time difference with the Kerberos server, the users logging into those clients will not be authenticated. The default tolerance for time differences is 5 minutes in an Active Directory network, although this can be changed.
Kerberos Key Distribution Center (KDC)
- responsible for authenticating users and issuing out session keys and tickets
- In Active Directory implementations, the domain controller serves as the KDC.
Authentication Service (AS)
- When a user logs into the system, the AS verifies her identity using the credentials stored in AD
- Issues verified user a Ticket-Granting Ticket (TGT), which can be used to access resources throughout the domain
Ticket-Granting Ticket (TGT)
- used to access resources throughout the domain.
- expires after a certain amount of time, so it must be periodically reissued.
Ticket-Granting Service (TGS)
- When a user wants to access a resource in the domain, the TGT is presented to the TGS for authentication and the TGS generates a session key for the communications session between the user and the resource server.
- This is known as a service ticket and is used for the duration of the access to the resource. When a user later needs access to the same or a different resource, the older ticket is not reused and a new service ticket is generated.
What is the port that Kerberos uses?
CP and UDP ports 88
Which cryptographic algorithm Kerberos uses?
it uses symmetric key cryptography
Lightweight Directory Access Protocol (LDAP)
- It is NOT an authentication protocol
- Used to assist in allowing authenticated users to browse and locate objects in a distributed network database.
- Used to facilitate authentication and authorization for these objects.
- LDAP is a modern replacement for older X.500 directory services protocols.
Remote Authentication Dial-In User Service (RADIUS)
- to provide for remote connections through older dial-in services
- provides AAA services to clients and providers
- Lacking in security --> Although the communications between the RADIUS client and the RADIUS server are encrypted, communications between the RADIUS client and the remote host are not
- not the host attempting to connect
- it is the network access server itself, which remote hosts connect to
- an intermediary server that processes the connection request and passes it onto other servers
- provide authentication services and can be either Windows or UNIX-based servers
What is the port that RADIUS uses?
User Datagram Protocol (UDP) as its transport protocol on ports 1812 (for authentication and authorization) and 1813 (for accounting functions)
- an AAA protocol proposed to replace RADIUS.
- allows for a wider variety of authentication protocols that will use it, including the Extensible Authentication Protocol (EAP).
What is the port that DIAMETER uses?
- It uses TCP port 3868
- It also allows for more advanced security using IPsec and Transport Layer Security (TLS).
Terminal Access Controller Access Control System (TACACS)
- supplanted RADIUS
- allows a remote user to connect and authenticate to a network via an intermediary TACACS server
- works pretty much the same way as RADIUS, with a few exceptions
- separates the authentication, authorization, and accounting functions out into separate processes, even allowing them to be handled by separate servers and technologies.
Terminal Access Controller Access Control System +(TACACS+)
- Cisco-proprietary version of the older TACACS protocol
- enabled newer, more secure authentication protocols to be used over it, such as Kerberos and EAP.
- permitted two-factor authentication.
- became an open standard.
- Unlike the issues that plague RADIUS with encryption between the remote host and the RADIUS client, TACACS+ encrypts all traffic between all connection points, to include usernames and passwords.
- Unfortunately, TACACS+ is not backward-compatible with the earlier versions of the protocol.
What is the port that TACAS uses?
TCP port 49
Point-to-Point Tunneling Protocol (PPTP)
- remote connection protocols designed to carry traffic over an existing network, encapsulating the traffic within them.
- primarily used to connect to clients using an intermediary network, such as the Internet, to provide the transport capabilities between remote host and the destination network
- developed by Microsoft to include VPN connection technologies within Microsoft operating systems.
- enables a client to send data in it, much as you would a letter in an envelope.
- packet contains the destination IP address of the network you are attempting to connect to.
- Inside this PPTP envelope is the traffic that will pass through the external VPN connection device intended for the destination network.
- This traffic would not be secure using PPTP alone; Microsoft uses its proprietary Microsoft Point-to-Point Encryption (MPPE) protocol to secure traffic traveling over PPTP. 3.
- rarely seen over VPN connections these days, as most modern VPNs use some form of L2TP
What is the port that PPTP uses
uses TCP port 172
Layer 2 Tunneling Protocol (L2TP)
- developed jointly by Microsoft and Cisco, but it has become an Internet standard
- Cisco used its proprietary Layer 2 Forwarding (L2F) protocol.
- Like PPTP, L2TP is only an encapsulation protocol, simply providing transport services and protecting data through untrusted networks (such as the Internet) to get it to a destination network.
- It doesn't provide any security services by itself --> BUT it uses IPsec to provide authentication and encryption services for the traffic it contains.
True or False: The reason that L2TP is used over PPTP is because of L2TP provides security services by itself.
FALSE - neither L2TP nor PPTP is responsible for securing its traffic payloads using encryption or authentication services. Both are only encapsulating protocols that do the heavy lifting of carrying traffic destined for secure networks through untrusted networks, like the Internet. For security services, L2TP and PPTP rely on other protocols, such as IPsec and MPPE, respectively
1. Which of the following is the process of validating user credentials?
C. Authentication is the process of validating user credentials.
2. Each of the following would be considered an example of an authenticator, except:
A. Username and password
B. Smart card
D. Folder permissions
D. Folder permissions have to do with authorization, not authentication. Authenticators are elements used in the identification and authentication process.
3. Which of the following authentication factors relies on a specified time period, during which a user must authenticate?
A. The temporal authentication factor relies heavily on time and might be used to require a user to authenticate during a specified time period.
4. Which of the following authentication factors would require that you input a piece of information from memory in addition to using a smart card?
B. The knowledge factor would require that you input a piece of information, such as a password or PIN, from memory in addition to using a smart card.
5. All of the following are examples of single-factor authentication, except:
A. Using a username and password combination to log on to a computer system
B. Answering security questions to reset a password
C. Use of a magnetic-strip security card to enter a secure door
D. Use of a smart card and PIN to log on to a computer system
D. Using a smart card and PIN is an example of multifactor authentication.
6. Which of the following is the error rate at which biometric systems should be calibrated?
A. False positive rate
B. False rejection rate
C. False acceptance rate
D. Crossover error rate
D. The crossover error rate is the point at which biometric systems should be calibrated to reduce false acceptance and false rejection rates.
7. Which of the following are factors used in biometrics? (Choose two.)
B. Handprint geometry
D. Retinal patterns
B, D. Both handprint geometry and retinal patterns are factors used in biometric authentication systems.
8. You are implementing an authentication system for a new company. This is a small company, and the owner has requested that all users be able to create accounts on their own individual workstations. You would like to explain to the owner that centralized authentication might be better to use. Which of the following are advantages of centralized authentication? (Choose two.)
A. Centralized security policies and account requirements
B. Ability of individuals to set their own security requirements
C. Ability to use single sign-on capabilities within the entire organization
D. Requirements have different usernames and passwords for each workstation and resource
A, C. Centralized system security policies as well as the ability to use single sign-on throughout the organization are two advantages of centralized authentication.
9. Which of the following scenarios describes a transitive trust situation?
A. Company A trusts the authentication systems of Company B, and vice versa.
B. Company A trusts the authentication systems of Company B, but Company B does not trust Company A's authentication systems.
C. Company A trusts the authentication systems of Company B, and Company B trusts the systems of Company C, so Company A trusts Company C.
D. Company A trusts the authentication systems of Company B and Company C, both explicitly.
C. In a transitive trust situation, Company A trusts the authentication systems of Company B, and Company B trusts the systems of Company C, so Company A trusts Company C.
10. Which of the following terms describes a common authentication system used by multiple entities, enabling users from any of the entities to authenticate seamlessly to one another's systems?
D. Transitive trust
A. A federated system is a common authentication system shared among all people entities. It allows users from any of the entities to access systems in one another's infrastructure.
11. Which of the following terms describes the process of allowing access to different resources?
A. Authorization describes the process of allowing access to different resources.
12. Which of the following states that users should be given only the level of access needed to perform their duties?
A. Separation of duties
C. Principle of least privilege
C. The principle of least privilege states that users should be given only the level of access needed to perform their duties.
13. Not allowing system administrators to have access to security audit logs is an example of __________.
A. principle of least privilege
B. separation of duties
C. job rotation
B. This is an example of separation of duties, since allowing system administrators to have access to security logs might allow them to take unauthorized actions and then delete any trace of those actions.
14. The ability to write to a particular file is an example of a __________.
C. discretionary access control model
D. The ability to write to a file is the example of a permission.
15. Which of the following would detail the particular access levels of an individual for a given object?
A. Access control list
B. Rule-based access control model
C. Role-based access control model
A. An access control list would detail the particular access levels of an individual for a given object.
16. Which of the access control models is based upon labels assigned to data and matching security clearances?
A. Discretionary access control
B. Rule-based access control
C. Role-based access control
D. Mandatory access control
D. The mandatory access control model is based upon labels assigned to data and matching security clearances.
17. Which of the following access control models allows object creators and owners to assign permissions to users?
A. Rule-based access control
B. Discretionary access control
C. Mandatory access control
D. Role-based access control
B. The discretionary access control model allows object creators and owners to assign permissions to users.
18. Restricting access to a particular system, based upon a stringent set of requirements including time of day, workstation, type of access, and resource is an example of which access control model?
A. Rule-based access control
B. Role-based access control
C. Discretionary access control
D. Mandatory access control
A. This is an example of rule-based access control, since access is based upon a series of restrictions or rules.
19. Which of the following are used as a basis for access in role-based access control models?
A. Discretionary access control groups
B. Individual users
C. Predefined roles
D. Set of predefined rules
C. Predefined roles are used as a basis for access in role-based access control.
20. An administrator wants to restrict access to a particular database based upon a stringent set of requirements. The organization is using a discretionary access control model. The database cannot be written to during a specified period when transactions are being reconciled. What type of restriction might the administrator impose on access to the database?
A. Access restricted by the database owner
B. Access based upon membership in a logical group
C. Access from a particular workstation
D. Time-of-day and object permission restrictions
D. The administrator would want to impose both a time-of-day and object permission restriction on users to prevent them from writing to the database during a specified time period.
21. Which of the following allows a user to use one set of credentials throughout an enterprise?
C. Single Sign-on
C. Single sign-on allows a user to use one set of credentials throughout an enterprise to access various resources without having to reauthenticate with a different set of credentials.
22. Which of the following would use a SHA-2 algorithm to generate a password that is used for only one session?
A. Kerberos Authentication Service
D. Kerberos Ticket-Granting Service
B. The HMAC-based One-Time Password (HOTP) algorithm uses hashing algorithms, such as SHA, to generate one-time passwords.
23. Which of the following authentication protocols sends user and password information in clear text?
C. MS-CHAP v2
A. The Password Authentication Protocol (PAP) sends user and password information in clear text and should not be used.
24. Which of the following authentication protocols was the first of its kind to offer challenge-response mechanisms for protecting user credentials sent over a network?
D. The Challenge Handshake Authentication Protocol (CHAP) was the first authentication protocol designed to offer challenge-response mechanisms for protecting user credentials sent over a network.
25. Under which of the following circumstances would a Windows host use Kerberos instead of NTLM v2 to authenticate users?
A. Authenticating to a server using only an IP address
B. Authenticating to a modern Windows Active Directory domain
C. Authenticating to a different Active Directory forest with legacy trusts enabled
D. Authenticating to a server in a Windows workgroup
B. When authenticating to a modern Windows Active Directory domain, Windows uses Kerberos as its authentication protocol by default.
26. Which of the following issues a service ticket to a user in a Kerberos realm?
A. Authentication Service
B. Server Service
C. Ticket-Granting Service
D. Key Distribution Center
C. The Ticket-Granting Service issues a service ticket to a user in a Kerberos realm.
27. Which of the following remote authentication protocols uses UDP ports 1812 and 1813?
D. RADIUS uses UDP ports 1812 and 1813.
28. All of the following are characteristics of the RADIUS authentication protocol, except:
A. It encrypts data between the RADIUS client and the remote host.
B. It uses UDP port 1812 for authentication and authorization.
C. It supports both PAP and CHAP.
D. The RADIUS client is the network access server that requests authentication information from the RADIUS server.
A. RADIUS does not encrypt data between the RADIUS client and the remote host.
29. Which of the following remote authentication protocols can use both Kerberos and EAP, as well as multifactor authentication?
B. TACACS+ supports both Kerberos and EAP, as well as multifactor authentication.
30. Which of the following are characteristics of the Point-to-Point Tunneling Protocol (PPTP)? (Choose two.)
A. Uses TCP port 1723
B. Uses TCP port 1701
C. Uses MPPE as its encryption protocol
D. Uses IPsec as its encryption protocol
A, C. PPTP uses TCP port 1723 as well as MPPE for its security protocol and encryption mechanism.
____________ is the entire process of creating accounts, assigning them to users or groups, assigning those accounts permissions, and ensuring that users are creating passwords that meet organizational policy requirements.
31. Which of the following methods are used to manage user credentials? (Choose two.)
D. Active Directory
B, C. Centralized and decentralized methods are used to manage user credentials in an organization.
32. Which of the following is used in a Windows Active Directory network to push policies down to individual users and computers?
A. Account policy
B. Group policy
C. Rights, permissions, and privileges
D. Password policy
B. Group policy is the method used to push security policy elements to individual computers and users in a Microsoft Windows Active Directory structure.
33. Which of the following terms describes the number of possible combinations in a password?
A. Character space
B. Character set
A. Character space describes the number of possible combinations in a password.
34. Which of the following is used to prevent the reuse of passwords?
A. Disabling accounts
B. Account lockout
C. Password complexity
D. Password history
D. The password history setting in the account policy is used to prevent the reuse of older passwords.
35. Which of the following factors determines how often passwords should expire and be reset?
A. Password history
B. The minimum amount of time the user is required to use the same password
C. The time and effort it may take for a hacker to crack the password
D. Account lockout duration
C. The time it might take a hacker to crack a password, based on complexity and other considerations, is usually the primary factor that drives how long the password can be valid before it expires and must be changed.
36. Which of the following should be done to a user's account when the user is under investigation for an indefinite period of time?
A. The account should be deleted.
B. The account should be locked.
C. The password for the account should be changed.
D. The account should be disabled.
D. If a user is under investigation, this may mean only a temporary suspension of his access to systems and data. Under this circumstance, the account should be disabled until management deems otherwise.
37. Which of the following is the primary way to defeat brute-force attacks on passwords?
A. Account deletion
B. Account lockout
C. Password changes
D. Password history
B. Account lockout is best way to prevent brute-forcing a user account and password, since a malicious user can attempt to log in only a few times before the account is locked.
38. Several users in the accounting department each require the same levels of access to the accounting server and its share data. Which of the following is the most efficient way to grant access to these users?
A. Create a logical group, assign the group the appropriate permissions to the resources, and then add the individual accounting user accounts to the group.
B. Assign each accounting user the appropriate permissions to the resources.
C. Create a logical group, assign the group the appropriate permissions to the resources, assign the appropriate permissions also to each individual user account, and then add the individual accounting user accounts to the group.
D. Create a logical group, then assign the appropriate permissions to each individual user, and then add those user accounts to the group.
A. The most efficient way is to create a logical accounting group, assign that group the appropriate permissions to the accounting server resources, and then add the individual accounting user accounts to the group.
39. Which of the following are the best ways to ensure that user accounts are being used appropriately and securely? (Choose two.)
A. Periodically review assigned privileges.
B. Allow users to maintain their privileges indefinitely, even during promotion or transfer.
C. Continuously monitor accounts, through auditing, to ensure accountability and security.
D. Ensure that users permissions stay cumulative, regardless of which group or job role they occupy.
A, C. Periodic reviews and continuous monitoring are two ways to ensure that accounts and privileges are used in accordance with organizational policy and in a secure manner.
40. Which of the following should usually be avoided and, if used, carefully documented and controlled?
A. System accounts
B. Multiple accounts
C. Shared accounts
D. Individual accounts
C. Shared or group accounts should be avoided, and, if used, they should be thoroughly documented and carefully controlled.
______________ consists of increased length and character sets. Both contribute to the character space (number of possible combinations) and a password's security.
A _____________ setting in your account policy would prevent users from reusing the same password they have used for a certain number of passwords.
How is password reuse implemented?
password reuse policy is made possible by the password history, which stores the user account's passwords for a certain number of password change cycles. If the password policy history is set to 10, for example, the system would store the user's last 10 passwords. Beyond this setting, the user can, of course reuse a password, but setting stringent password aging requirements would prevent the user from reusing passwords for a particular period of time.
__________________ would prevent the user from reusing passwords for a particular period of time
password aging requirements
______________ shortens the amount of time that an attacker may have to crack a password and use it. Depending on password length and complexity, it can take an inordinate amount of time to crack. The idea is to make sure the passwords expire before they are cracked.
If a user does not change her password within the allowed amount of time, her account should be locked, so that she cannot use the account again until the password is changed. This forces the user to change her password, and when she again creates a new password, the expiration time for that password is reset. What is this policy called?
True or False: Perhaps a user has repeatedly input an incorrect password—the system would automatically disable the account to prevent its compromise, in case an attacker is attempting to brute-force the account. Or an account may be temporarily disabled if a user is on vacation—or if he is under investigation for a crime involving the computer. The user may not be allowed to use the account during either of these two circumstances, so the account would be manually disabled until management determines that it can be re-enabled.
True - Accounts should be disabled temporarily whenever a user does not need access to the system. They should not be permanently deleted until you determine that a user will never need access to the system again.
____________________ is a part of an account policy that is used to protect user accounts from being compromised.
You should always set account lockout as part of your organization's account policy. If account lockout is not set, a malicious user could use brute-force techniques to guess a password and access an account.