A system administrator wants to prevent password compromises from offline password attacks.
Which of the following controls should be configured to BEST accomplish this task? (Select TWO)
A.
Password reuse
B.
Password length
C.
Password complexity
D.
Password history
E.
Account lockouts
B and C.
1
0
B and C. “Offline” is the key word.
1
0
Need to consider a different thought here. If a password is compromised offline but you have effective password reuse policies, then the bad guy would find his/her work useless–because the password has been changed and the old password would not be used again. I think that complexity and length are probably correct for this question but a real case can be made for password reuse. It would prevent password compromises from offline password attack.
1
0
I would agree that it is B and C as well, although reuse is a good thought too. It cannot be account lockout due to the phrase “offline password attacks”
1
0
What Is “Offline Password Cracking?”
Offline Password Cracking is an attempt to recover one or more passwords from a password storage file that has been recovered from a target system. Typically, this would be the Security Account Manager (SAM) file on Windows, or the /etc/shadow file on Linux. In most cases, Offline Password Cracking will require that an attacker has already attained administrator / root level privileges on the system to get to the storage mechanism. It is possible, however, that the password hashes could also have been pulled directly from a database using SQL injection, an unprotected flat text file on a web server, or some other poorly protected source.
Using Online Password Cracking, an attacker does not have to have any previous access to the system. The attacker uses the interface or service presented to legitimate users, such as a login web page or an SSH or FTP server, to try to guess user account names and passwords. However, Online Password Cracking is much slower than Offline Password Cracking; Offline Password Cracking can be 1000 – 1,000,000 times faster than cracking online. Online Password Cracking is also noisier, potentially leaving one entry per attempt in a log file. Once the credential storage mechanism is recovered, Offline Password Cracking leaves no other trace on the victim’s system.
Most security professionals advise that he following are the x3 best options against on-line and off-line password attacks
1) Length of passwords
2) Complexity of passwords
3) Password Reuse and History
The question in here is the BEST two, so I would choose: B & C
Also, as mentioned by Will, “E- Account lockouts” is not a possible answer as we are dealing with DATA AT REST, as this is an OFFLINE hack and not an ONLINE-Hack.
0
0