Which of the following MOST effectively reduces the probability of a brute force attack being successful?
Which of the following MOST effectively reduces the probability of a brute force attack being successful?
Establishing an account lockout policy effectively reduces the probability of a brute force attack being successful. A brute force attack relies on trying numerous possible password combinations until the correct one is found. By locking an account after a certain number of failed login attempts, the policy limits the number of attempts an attacker can make, thereby significantly reducing the chances of success. This directly interrupts the attack process by not allowing unlimited attempts within a short period, making it impractical for attackers to continue.
D is wrong, C is right
Establishing an account lockout policy (A) is the most effective method for reducing the probability of a brute force attack being successful. A brute force attack involves trying many passwords or passphrases with the hope of eventually guessing the correct one. An account lockout policy will lock the account after a certain number of failed login attempts, thereby preventing the attacker from continuing to try different password combinations. This policy directly interrupts the brute force attack process by not allowing the attacker unlimited attempts within a short period of time.
D ir right. It is a trick question. The probability that a brute force attack will be successful depends on the length of the password. Hence, it is important to set minimum password lenth as a requirement
Requiring a minimum password length ensures that passwords are not easily guessable and increases the complexity of potential passwords, making them more resilient against brute force attacks. Longer passwords exponentially increase the time it would take for an attacker to successfully guess the correct combination, thus reducing the probability of a successful brute force attack. While an account lockout policy can deter attackers by limiting the number of login attempts, a strong password policy acts as a barrier against brute force attacks from the outset.
By locking an account after a certain number of unsuccessful login attempts, the probability of a brute force attack succeeding is significantly reduced. Attackers are limited in the number of attempts they can make before the account is locked, which makes brute force attacks impractical. I don't know how ISACA thinks about this but in reality and practice the answer is ALWASY A.
A is lock