A recent online password audit has identified that stale accounts are at risk to brute force attacks.
Which the following controls would best mitigate this risk?
A.
Password length
B.
Account disablement
C.
Account lockouts
D.
Password complexity
Explanation:
I think account disablement is the better choice. It would be impossible to log in to a disabled account.
With account lockouts, if the lockout threshold is 10, for example, and the lockout duration is 30 minutes, then attacker has a much better chance at accessing the account.
I can’t see a reason why a stale account would be active and available for attack. Most of these types of attacks are after you steal the security account manager (SAM) database so the account lockout would have no value. Complexity and length would be useful to stop/delay a SAM attack. But if it is a stale account, it should be disabled or deleted. I agree with B
I feel both B and C are correct. But the link gives more info:
http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
The idea here to mitigate brute-force rather concentrating on the account type specified, whic just a trick.
B, stale account must be disabled
I would go with B. If an account is stale then that means its inactive. Which you would want to disable. If the account is active then you would enforce account lockouts.