a. Password length

b. Password lifetime

c. Password secrecy

d. Password storage

238. c. No automated vulnerability-testing tool can ensure that system users have not disclosed their passwords; thus secrecy cannot be guaranteed.

Password length can be tested to ensure that short passwords are not selected. Password lifetime can be tested to ensure that they have a limited lifetime. Passwords should be changed regularly or whenever they may have been compromised. Password storage can be tested to ensure that they are protected to prevent disclosure or unauthorized modification.

239. Use of login IDs and passwords is the most commonly used mechanism for which of the following?

a. Providing dynamic verification of a user

b. Providing static verification of a user

c. Providing a strong user authentication

d. Batch and online computer systems alike

239. b. By definition, a static verification takes place only once at the start of each login session. Passwords may or may not be reusable.

Dynamic verification of a user takes place when a person types on a keyboard and leaves an electronic signature in the form of keystroke latencies in the elapsed time between keystrokes. For well-known, regular type strings, this signature can be quite consistent. Here is how a dynamic verification mechanism works: When a person wants to access a computer resource, he is required to identify himself by typing his name. The latency vector of the keystrokes of this name is compared with the reference signature stored in the computer. If this claimant’s latency vector and the reference signature are statistically similar, the user is granted access to the system. The user is asked to type his name a number of times to provide a vector of mean latencies to be used as a reference. This can be viewed as an electronic signature of the user.

Passwords do not provide a strong user authentication. If they did, there would not be a hacker problem today. Passwords provide the weakest user authentication due to their sharing and guessable nature. Only online systems require a user ID and password from a user due to their interactive nature. Only batch jobs and files require a user ID and password when submitting a job or modifying a file. Batch systems are not interactive.

240. Which of the following password selection procedures would be the most difficult to remember?

a. Reverse or rearrange the characters in the user’s birthday

b. Reverse or rearrange the characters in the user’s annual salary

c. Reverse or rearrange the characters in the user’s spouse’s name

d. Use randomly generated characters

240. d. Password selection is a difficult task to balance between password effectiveness and its remembrance by the user. The selected password should be simple to remember for oneself and difficult for others to know. It is no advantage to have a scientifically generated password if the user cannot remember it. Using randomly generated characters as a password is not only difficult to remember but also easy to publicize. Users will be tempted to write them down in a conspicuous place if the password is difficult to remember.

The approaches in the other three choices would be relatively easy to remember due to the user familiarity with the password origin. A simple procedure is to use well-known personal information that is rearranged.

241. How does a role-based access control mechanism work?

a. Based on job enlargement concept

b. Based on job duties concept

c. Based on job enrichment concept

d. Based on job rotation concept

241. b. Users take on assigned roles such as doctor, nurse, teller, and manager. With role-based access control mechanism, access decisions are based on the roles that individual users have as part of an organization, that is, job duties. Job enlargement means adding width to a job; job enrichment means adding depth to a job; and job rotation makes a person well rounded.

242. What do the countermeasures against a rainbow attack resulting from a password cracking threat include?

a. One-time password and one-way hash

b. Keyspace and passphrase

c. Salting and stretching

d. Entropy and user account lockout

242. c. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. Larger salts effectively make the use of rainbow tables infeasible. Stretching involves hashing each password and its salt thousands of times. This makes the creation of the rainbow tables correspondingly more time-consuming, while having little effect on the amount of effort needed by the organization’s systems to verify password authentication attempts.

Keyspace is the large number of possible key values (keys) created by the encryption algorithm to use when transforming the message. Passphrase is a sequence of characters transformed by a password system into a virtual password. Entropy is a measure of the amount of uncertainty that an attacker faces to determine the value of a secret.

243. Passwords can be stored safely in which of the following places?

a. Initialization file

b. Script file

c. Password file

d. Batch file

243. c. Passwords should not be included in initialization files, script files, or batch files due to possible compromise. Instead, they should be stored in a password file, preferably encrypted.

244. Which of the following is not a common method used to gain unauthorized access to computer systems?

a. Password sharing

b. Password guessing

c. Password capturing

d. Password spoofing

244. d. Password spoofing is where intruders trick system security into permitting normally disallowed network connections. The gained passwords allow them to crack security or to steal valuable information. For example, the vast majority of Internet traffic is unencrypted and therefore easily readable. Consequently, e-mail, passwords, and file transfers can be obtained using readily available software. Password spoofing is not that common.

The other three choices are incorrect because they are the most commonly used methods to gain unauthorized access to computer systems. Password sharing allows an unauthorized user to have the system access and privileges of a legitimate user, with the legitimate user’s knowledge and acceptance. Password guessing occurs when easy-to-use or easy-to-remember codes are used and when other users know about them (e.g., hobbies, sports, favorite stars, and social events). Password capturing is a process in which a legitimate user unknowingly reveals the user’s login ID and password. This may be done through the use of a Trojan horse program that appears to the user as a legitimate login program; however, the Trojan horse program is designed to capture passwords.