CPR101 QUIZ 5

Questions and Answers

What is the success rate of Spear Phishing?

45%

55%

25%

35% (correct)

Two-factor authentication is more secure than three-factor authentication.

False

What is the purpose of salting in password storage?

To prevent rainbow table attacks

According to the password policy, users should use at least ______ random Diceware words for a single salted 100K hashed password.

4

Match the following authentication factors with their descriptions:

Something I know = User ID & password, PIN Something I have = FIDO2 Universal 2nd Factor (U2F), phone Authenticator (OTP), bank | credit | access card, YubiKey

What is the primary goal of social engineering?

To trick users into revealing sensitive information

Three-factor authentication requires something you are.

True

How many guesses per second can a GPU make when cracking an 8-character password?

5M guesses/second

What is the principle of granting only the minimum authority needed?

Principle of Least Privilege

It's recommended to use a VPN from public access points.

True

What is the purpose of DNS Domain Name System?

translate name.tld to IP address

Permissions for ICT developers on a production server are typically _______.

Read Only

What is the purpose of a Domain Validation (DV) certificate?

To validate a domain name

Match the following security tools with their purpose:

CIRA = block malware, botnets, malicious domains Quad9 = block malware, botnets, malicious domains Privacy Badger = block tracking Panopticlick = test browser tracking

It's a good idea to use the same password across multiple systems.

False

What is the recommendation for using SuperUser (sudo) or root privileges?

only when necessary

What is the primary issue with 4-digit PINs used by banks and credit cards as 2FA?

They are easily guessed due to common patterns

Using a passphrase with 64 characters or more is considered insecure.

False

What is the recommended storage format for passwords?

Salted and hashed format using a standard library with Argon2id or PBKDF2

According to NIST SP 800-63B Appendix A, password expiration should be based on _______________________, not time.

risk

What is a recommended alternative to passwords?

Passkey

Two-factor authentication provides three layers of security.

False

Match the following authentication methods with their descriptions:

Multi-Factor Authentication = uses multiple forms of verification Two-Factor Authentication = uses two forms of verification Three-Factor Authentication = uses three forms of verification

What is the main objective of security in the context of authentication?

To protect privacy

What is the recommended way to generate a strong password?

Generate a long random passphrase

Diceware is a method of generating strong, unique, and memorable passwords.

True

What is the recommended approach to managing UserIDs across multiple accounts?

Use an email alias for each account, such as [email protected], [email protected], etc.

_____________ is a service that allows users to authenticate with multiple sites using a single account.

OpenID Connect

Match the following password strength meters with their features:

Have I Been Pwned? = Check if previously breached / leaked / hacked PasswordPing = API for password strength meter Specops Password Security Tools = Full service for password defense

What is the recommended way to use a password manager?

Use a password manager to generate unique, long, random passwords for each account

Two-factor authentication is a sufficient security measure to protect against all types of attacks.

False

What is the benefit of using a Diceware PassPhrase?

It is a long, memorable, and strong password that can satisfy bad password policies.

What is the most common cracking method?

Weak Passwords

Using the same password across multiple sites is secure.

False

What is the primary weakness of knowledge-based authentication?

Easy to hack using social media exposure or stolen information

A strong password should have at least one ___________ character.

UPPERCASE

What is a problem with the password '13qeadzc@$WRSFXV'?

It can be easily cracked using a keyboard walk algorithm

A good password policy requires periodic changes to passwords.

False

Match the following password characteristics with their descriptions:

Length = Minimum of 8 characters Strength = Combination of uppercase, lowercase, numbers, and symbols Complexity = Not found in a dictionary Expiry = Periodic password changes

What is a recommended approach to password defense?

Memorable length instead of complex strength

Study Notes

Password Security

• Nymi band uses fingerprint, facial recognition, ECG, and heartbeat pattern for authentication.
• PINs are insecure, with most people using a date to make them memorable, resulting in a limited range of 700 possibilities.

Better Password Policies

• User ID should be impersonal, not an email address.
• Passphrase should be 8-10-12-15 characters in length, with no complexity rules.
• Password expiration should be based on risk, not time.
• Reusing passwords should not be allowed.
• Block simple dictionary, commonly used, and previously breached passwords.
• Require two-factor ID, such as Microsoft Authenticator or U2F.

Password Storage

• Store passwords in a salted and hashed format using a standard library with Argon2id or PBKDF2.
• Do not invent your own password storage method.
• Obscurity does not equal security.

Password Alternatives

• Use a passkey instead of a password, starting with Microsoft or Google FIDO2.
• Use a hardware-based passkey with biometric authentication.

Security and Privacy

• Authentication should use multi-factor authentication (MFA).
• A strong password can be long, memorable, and satisfy bad rules.
• Generate a long random passphrase and check its strength and entropy.

Password Defense

• Check if a password has been previously breached or leaked.
• Use an email alias for the UserID.
• Use a password manager to generate unique, long, random, and strong passwords.
• Use a Diceware passphrase generator for long, memorable, and random passwords.

Password Managers

• Use a password manager such as 1Password, BitWarden, or MS Authenticator.
• Password managers can generate unique, long, random, and strong passwords for each account.

Authentication

• OpenID Connect authenticates users to multiple sites via a single account.
• Read the permissions requested to the authorization account.

Weak Passwords

• Weak passwords are guessable or reused across sites.
• Top three weak passwords are 123456, admin, and 12345678.
• Credential stuffing and cracking are common attacks.

Password Recovery

• "I forgot my password" relies on the strength of the email account's security and password.
• Answer security questions with lies to protect your identity.

Password Edit Rules

• Bad password rules include length, strength, and complexity requirements.
• Good password rules include using a passphrase and limiting password changes.

Authorization

• Authorization is the process of granting access rights to users.
• Role-based access control (RBAC) grants minimum authority needed for job functions.
• Permissions should be specific for each role and server.

Internet and Browser Security

• Use a DNS service that blocks malware and malicious domains.
• Use a VPN when accessing public networks.
• Always use HTTPS for sign-on.
• Use browser extensions to block tracking and test browser security.

Social Engineering

• Social engineering is a common attack method that uses social media to guess passwords and security questions.
• Be cautious when sharing personal information online.
• Use two-factor authentication to protect against phishing and cracking.