ISC2 Study Notes 2 Flashcards
This setting remembers previous passwords that a user has created and prevents the user from reusing the same passwords.
Enforce Password history
This setting defines how long users must wait before changing their password again; policy setting determines the period of time (in days) that a password must be used before the user can change it.
Minimum Password Age
This setting defines when users must change their password; dictates the amount of days a password can be used before the user is forced to change it.
Maximum Password Age
ensures that passwords are strong (never blank), are of a minimum length, and have been changed within a given time period (such as 90 days).
Password Audit
provide a storage space for users to keep their credentials.
Credential Management System
should never be stored in cleartext ??? should be salted and hashed with a strong hashing algorithm such as Secure Hash Algorithm 3 (SHA-3).
Passwords
No other complexity requirements should be imposed on users. Users should be required to create passwords of at least 8 characters and not use passwords in the blacklist. However, they should not be required to create overly complex passwords. Instead, the salted hash should provide the complexity.
Password Info
should not be set to expire. Users should not be required to change their passwords periodically. The only reason they should be required to change their password is if there is evidence of compromise.
Passwords
A ??? is a small device that displays a number. The number changes periodically, such as every 30 seconds, and the user enters the number for authentication.
Hardware Tokens and One-time Passwords
A token using a synchronous dynamic password changes the password at specific times, such as every 60 seconds. This requires the token and the server to be synchronized with the same time.
Synchronous dynamic Password
