5.4 Security Password Policies Elements

Question 1

What is the primary goal of a password management policy?

Answer 1

To ensure passwords are created, stored, and managed securely.

A good password management policy outlines procedures for creating strong passwords, changing them regularly, and securely storing them.

Question 2

List the key components of an effective password management policy.

Answer 2

• Password creation rules
• Expiration policies
• History requirements
• Secure storage practices

Password creation rules: Guidelines for creating strong and secure passwords.

Expiration policies: Rules for changing passwords after a certain period.

History requirements: Ensuring users don’t reuse old passwords.

Secure storage practices: Methods for safely storing passwords, such as encryption.

Question 3

Define:

password complexity

Answer 3

The requirement for passwords to contain a mix of characters.

Passwords should mix uppercase, lowercase, numbers, and symbols to increase security against brute-force and guessing attacks.

Question 4

List an example of a secure password due to its complexity.

Answer 4

vg!Z867db

A secure password should incorporate upper- and lower-case letters, numbers, and special characters. The password ‘vg!Z867db’ meets these criteria, enhancing its resistance to attacks.

Question 5

Fill in the blanks:

Passwords should be ______ and ______ to enhance security.

Answer 5

strong, unique

Using strong and unique passwords is crucial in protecting accounts from unauthorized access and cyber threats.

Question 6

True or False:

Password expiration policies require users to change their passwords every 30 days.

Answer 6

False

While some organizations enforce regular password changes, the specific interval can vary, and not all systems require a 30-day reset.

Question 7

Define:

password expiration

Answer 7

The policy requiring users to change their passwords after a set period.

Expiration periods, ranging from 30 to 90 days, help limit the time frame during which a compromised password remains valid.

Question 8

Why are password history policies important in security management?

Answer 8

It prevents password reuse, reducing unauthorized access.

By enforcing the use of new passwords, these policies help avoid predictable patterns that could be exploited by attackers trying to guess passwords.

Question 9

What is the primary benefit of multifactor authentication (MFA)?

Answer 9

It adds security by requiring multiple forms of authentication.

It usually involves a combination of something you know (password), something you have (token), and something you are (biometric feature).

Question 10

How do digital certificates enhance security compared to passwords?

Answer 10

• They utilize public-key cryptography.
• They employ a key pair (public and private keys) for authentication.
• They offer a higher level of security than traditional passwords.

This method strengthens security by providing a more reliable and secure way to verify identities compared to password-based systems.

Question 11

Define:

biometric authentication

Answer 11

Authentication based on unique physical traits.

Since physical traits are inherent to individuals, this method offers a high level of security by making it nearly impossible to replicate, ensuring strong identity verification.

Question 12

True or False:

Biometric authentication is always more secure than passwords.

Answer 12

False

While biometrics are generally secure, they can be spoofed or misused, and are most effective when combined with other authentication methods.

Question 13

List three common types of biometric authentication methods.

Answer 13

1. Fingerprint recognition
2. Facial recognition
3. Iris scanning

Fingerprint recognition: Verifies identity by analyzing unique fingerprint patterns.

Facial recognition: Identifies individuals based on facial features.

Iris scanning: Uses the unique patterns in the iris for identification.

Question 14

How are passwords typically stored securely in a system?

Answer 14

They are hashed and salted before storage.

Hashing converts passwords into a fixed-length value, while salting adds random data to make each password hash unique and resistant to attacks.

Question 15

Define:

password salt

Answer 15

Random data added to passwords before hashing.

Salting ensures that identical passwords produce different hashes, preventing attackers from using precomputed hashes (rainbow tables) to crack passwords.

Question 16

Define:

hashing algorithm

Answer 16

A function that converts a password into a fixed-length string.

Hashing algorithms like SHA-256 or MD5 are used to ensure that passwords are stored securely, making it nearly impossible to recover the original password from the hash.

Question 17

True or False:

Passwords are the only authentication method in high-security environments.

Answer 17

False

High-security environments typically require additional forms of authentication, such as biometrics or certificates, in addition to passwords.

Question 18

What is the role of a password manager in password management?

Answer 18

To securely store and organize passwords.

Password managers help users maintain strong, unique passwords for every account without the need to remember them all.

Question 19

Why should users avoid using the same password across multiple accounts?

Answer 19

It increases the risk of a breach if one account is compromised.

Using unique passwords for each account limits the damage if one password is exposed, preventing cross-account attacks.

Question 20

Define:

password strength

Answer 20

The ability of a password to resist attacks.

Strong passwords are long, complex, and random, making them difficult to guess or crack through methods like brute force or dictionary attacks.

Question 21

True or False:

A password policy should prevent the use of personal information.

Answer 21

True

Personal information, like names or birthdates, is often easy for attackers to guess or find, so it should be avoided to enhance password security.

Question 22

Define:

two-factor authentication (2FA)

Answer 22

Authentication that requires two different verification methods.

2FA typically combines something you know (password) with something you have (token or phone), providing an additional layer of security.

Question 23

What are three benefits of using multifactor authentication (MFA)?

Answer 23

1. Reduces unauthorized access risk
2. Enhances overall security
3. Protects against stolen or compromised passwords

MFA provides additional layers of security, especially when passwords are weak or stolen.

Question 24

List four types of multifactor authentication factors.

Answer 24

1. Something you know
2. Something you have
3. Something you are
4. Somewhere you are

Something you know: e.g., a password or PIN.​

Something you have: e.g., a smartphone or security token.​

Something you are: e.g., a fingerprint or facial recognition.​

Somewhere you are: e.g., your current physical location determined via GPS.​

Question 25

List the **steps involved** in configuring MFA in a system.

Answer 25

1. Enable a primary authentication method. 1. Select additional authentication factors. 1. Integrate the secondary factors. 1. Test the MFA setup. ## Footnote **Enable a primary authentication method**: Set up a standard authentication method, such as a password or PIN. **Select additional authentication factors**: Choose one or more secondary factors, such as a mobile device, biometric scan, or security token. **Integrate the secondary factors**: Implement the chosen secondary factors into your authentication system. **Test the MFA setup**: Verify that the MFA system works as intended, requiring multiple forms of verification during the authentication process.

Question 26

Why is MFA **preferred** over SFA?

Answer 26

MFA **reduces the risk** of unauthorized access, even if one factor is compromised. ## Footnote Requiring multiple verification steps, **MFA** provides an extra layer of security, making it harder for attackers to gain access with just one piece of information, like a password.

Question 27

Why are **hardware tokens** considered secure MFA?

Answer 27

It provides a physical, tamper-resistant **method** of verifying identity. ## Footnote Hardware tokens *generate time-based codes* or *cryptographic keys* that are difficult to replicate, offering a higher level of security compared to software-based methods.

Question 28

List *four* **best practices** for effective password management.

Answer 28

1. Use strong, unique passwords. 1. Implement multifactor authentication. 1. Set password expiration dates. 1. Avoid reusing passwords. ## Footnote Following these best practices helps *mitigate risks of account compromise* due to weak or reused passwords.

Question 29

# True or False: Writing down **complex passwords** for easy access is acceptable.

Answer 29

False ## Footnote *Writing down passwords* **compromises** security since they can be lost or stolen. Using a password manager is a safer alternative.

Question 30

Describe the **steps involved** in verifying a password in a secure system.

Answer 30

1. The entered password is hashed. 1. The hash is compared to the stored hash. ## Footnote This ensures the password **matches** the original without exposing it in clear text.

Question 31

What’s the **difference** between symmetric and asymmetric encryption?

Answer 31

* **Symmetric encryption** uses the same key for both encryption and decryption. * **Asymmetric encryption** uses a public key for encryption and a private key for decryption. ## Footnote Asymmetric encryption (used in certificates) is *more secure* because the private key is never shared, unlike symmetric encryption, which uses a shared secret key.