CompTIA PenTest+ (PT0-002) — Question 108

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>.
Which of the following would be the best action for the tester to take NEXT with this information?

Answer options

• A. Create a custom password dictionary as preparation for password spray testing.
• B. Recommend using a password manager/vault instead of text files to store passwords securely.
• C. Recommend configuring password complexity rules in all the systems and applications.
• D. Document the unprotected file repository as a finding in the penetration-testing report.

Correct answer: D

Explanation

The best action for the tester is to document the unprotected file repository as a finding in the penetration-testing report (D), as it highlights a significant security vulnerability. While creating a custom password dictionary (A) or recommending a password manager (B) might improve security, these actions do not directly address the immediate risk presented by the unprotected repository. Similarly, suggesting password complexity rules (C) is a preventative measure that does not resolve the current exposure.