A security administrator must implement all requirements in the following corporate policy:
Passwords shall be protected against offline password brute force attacks. Passwords shall be
protected against online password brute force attacks. Which of the following technical controls
must be implemented to enforce the corporate policy? (Select THREE).
A.
 Account lockout
B.
 Account expiration
C.
 Screen locks
D.
 Password complexity
E.
 Minimum password lifetime
F.
 Minimum password length
Explanation:
A brute force attack is a trial-and-error method used to obtain information such as a user password
or personal identification number (PIN). In a brute force attack, automated software is used to
generate a large number of consecutive guesses as to the value of the desired data. Brute force
attacks may be used by criminals to crack encrypted data, or by security analysts to test an
organization’s network security.
A brute force attack may also be referred to as brute force cracking.
For example, a form of brute force attack known as a dictionary attack might try all the words in a
dictionary. Other forms of brute force attack might try commonly-used passwords or combinations
of letters and numbers.The best defense against brute force attacks strong passwords. The following password policies
will ensure that users have strong (difficult to guess) passwords:
F: Minimum password length. This policy specifies the minimum number of characters a password
should have. For example: a minimum password length of 8 characters is regarded as good
security practice.
D: Password complexity determines what characters a password should include. For example, you
could require a password to contain uppercase and lowercase letters and numbers. This will
ensure that passwords don’t consist of dictionary words which are easy to crack using brute force
techniques.
A: Account lockout policy: This policy ensures that a user account is locked after a number of
incorrect password entries. For example, you could specify that if a wrong password is entered
three times, the account will be locked for a period of time or indefinitely until the account is
unlocked by an administrator.