A security administrator is updating the company's password policy to provide the best protection against brute-force and dictionary attacks. The primary goal is to make individual user passwords as difficult to crack as possible. Which policy change would be MOST effective in achieving this?
Decrease the maximum password age from 120 days to 90 days.
Encourage users to adopt passphrases of at least 15 characters without enforcing character complexity.
Increase the minimum password length to 12 characters and require the use of uppercase, lowercase, numbers, and special characters.
Prevent users from reusing any of their previous 12 passwords.
Enforcing a policy that requires a significant minimum length (e.g., 12 characters) combined with complexity (a mix of uppercase, lowercase, numbers, and symbols) is the most effective way to increase a password's entropy and resistance to cracking attempts. While password history and passphrases are valuable concepts, a specific length and complexity requirement provides a more direct and measurable defense against brute-force attacks. Mandatory frequent password changes (e.g., every 90 days) are no longer considered a primary best practice by organizations like NIST, as this practice can lead to users creating weaker, more predictable passwords.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does increasing password length and complexity make it harder to crack?
Open an interactive chat with Bash
What is the purpose of implementing a maximum password age policy?
Open an interactive chat with Bash
Why is allowing password reuse considered a poor security practice?