CompTIA Security+ (SY0-601) — Question 393

An attacker is attempting to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:

The username you entered does not exist.

Which of the following should the analyst recommend be enabled?

Answer options

• A. Input valuation
• B. Obfuscation
• C. Error handling
• D. Username lockout

Correct answer: C

Explanation

The correct answer is C, as error handling can help to avoid revealing whether a username exists or not, thereby preventing attackers from efficiently targeting valid usernames. The other options do not address the issue directly: A focuses on validating input, B deals with hiding information, and D would not mitigate the information leak occurring from the error message.