CompTIA Security+ (SY0-501) — Question 509

An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords.
The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?

Answer options

• A. Some users are meeting password complexity requirements but not password length requirements.
• B. The password history enforcement is insufficient, and old passwords are still valid across many different systems.
• C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems.
• D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.

Correct answer: D

Explanation

Option D is correct because it indicates that the compromised passwords have been brute-forced, suggesting that the complexity requirements were not strong enough to prevent this. The other options do not accurately address the situation, as they either misinterpret the password policy enforcement or overlook the implications of the unusual login activity detected.