A security administrator is concerned about the strength of user’s passwords. The company does
not want to implement a password complexity policy. Which of the following can the security
Administrator implement to mitigate the risk of an online password attack against users with weak
passwords?

A.
Increase the password length requirements

B.
Increase the password history

C.
Shorten the password expiration period

D.
Decrease the account lockout time

Explanation:
Reducing the password expiration period will require passwords to be changed at the end of that
period. A password needs to be changed if it doesn’t meet the compliance requirements of the
company’s password policy, or is evidently insecure. It will also need to be changed if it has been
reused, or due to possible compromise as a result of a system intrusion. This will give online
password attackers less time to crack the weak passwords.