Security+ Section 11.7.8 Quiz
In a variation of the brute force attack, an attacker may use a predefined list of common usernames and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue? 3DES encryption VLANs AES encryption A strong password policy
A strong password policy. - A strong password policy is the best defense against dictionary attacks. The policy must be enforced, and all users must be trained to properly construct and protect strong passwords.
Which of the following strategies can protect against a rainbow table password attack? Encrypt the password file with one-way encryption Enforce strict password restrictions Add random bits to the password before hashing takes place Educate users to resist social engineering attacks
Add random bits to the password before hashing takes place - Some authentication protocols send password hashes between systems during the authentication process. Rainbow table attacks apply hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques) in an attempt to match hashed passwords. To protect against this type of attack, you can salt the hash by adding random bits to the password before hashing takes place, thereby producing an entirely different hash value for the password. Because the hacker does not know the extra random bits, the rainbow table is of no value.
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? Brute force attack Pass-the-hash attack Password sniffing Keylogger
Brute force attack - In a brute force attack, every password is eventually found because the technique is to test every possible keystroke for each single key in a password until the correct one is found.
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? Password sniffing Keylogging Pass-the-hash attack Password salting
Password salting - Password salting is adding random bits of data to a password before it is stored as a hash, making password cracking much more difficult.
Which of the following password attacks uses preconfigured matrices of hashed dictionary words? Brute-force attack Rainbow table attack Hybrid attack Dictionary attack
Rainbow table attack - A rainbow table attack applies hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques). The algorithm then saves the results in a table or matrix. An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found.
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account, and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occurred? Dumpster diving Social engineering Shoulder surfing Password guessing
Social engineering - Social engineering relies on human error. It works by feigning trustworthiness to convince someone to share information.
Which of the following best describes shoulder surfing? Giving someone you trust your username and account password. Finding someone's password in the trash can and using it to access their account. Someone nearby watching you enter your password on your computer and recording it. Guessing someone's password because it is so common or simple.
Somebody nearby watching you enter your password on your computer and recording it. - Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby.
You want to check a server for user accounts that have weak passwords. Which tool should you use? Nessus John the Ripper OVAL Retina
John the ripper - John the Ripper is a password cracking tool. Password crackers perform cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption.
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? Dumpster diving Social engineering Shoulder surfing Password guessing
Dumpster diving - Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that create access for attackers.
A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work. When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d. On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido. What should you do to increase the security of Bob's account? (Select two.) Use Group Policy to require strong passwords on user accounts. Require him to use the initial password, which meets the complexity requirements. Use a stronger initial password when creating user accounts. Configure user account names that are not easy to guess. Do not allow users to change their own passwords. Train users not to use passwords that are easy to guess.
Use group policy to require strong passwords on user accounts. Train users not to use passwords that are easy to guess. - In this scenario, a weak password that is easy to guess has been used. To prevent this type of password, you should: Use Group Policy to require strong passwords on user accounts. In this example, Fido is a weak password because it is short and doesn't contain numbers or other non-alphabetic characters. Train users not to use passwords that are easy to guess. In this example, the user's password could very likely be guessed using basic reconnaissance techniques on social media websites.
