Password Security MCQs

1. The primary purpose of authentication is to:

a) Encrypt data b) Verify the identity of a user/system c) Compress files d) Increase network speed

Correct Answer: b) Verify the identity of a user/system

Explanation:
Authentication confirms that users are who they claim to be. It's different from authorization (determining access rights) and encryption (protecting data confidentiality).

2. Which of the following is the WEAKEST form of authentication?

a) Single-factor (Password only) b) Two-factor (Password + OTP) c) Biometric (Fingerprint) d) Smart card + PIN

Correct Answer: a) Single-factor (Password only)

Explanation:
Single-factor authentication is the weakest as it relies on just one credential type (knowledge factor). Multi-factor authentication (MFA) combining knowledge, possession, and inherence factors is stronger.

3. A brute-force attack on passwords involves:

a) Trying all possible password combinations b) Guessing common passwords (e.g., "123456") c) Exploiting software vulnerabilities d) Intercepting network traffic

Correct Answer: a) Trying all possible password combinations

Explanation:
Brute-force attacks systematically check all possible passwords until the correct one is found. Defenses include: account lockouts, rate limiting, and CAPTCHAs.

4. Which password policy is MOST secure?

a) Minimum 12 chars, uppercase, lowercase, numbers, special symbols b) "Password123" c) Same password for all accounts d) No password changes required

Correct Answer: a) Minimum 12 chars, uppercase, lowercase, numbers, special symbols

Explanation:
NIST recommends: minimum 8-12 characters, allowing all character types, checking against breached password lists, and eliminating periodic resets unless compromised.

5. Password hashing is used to:

a) Store passwords securely (irreversible transformation) b) Encrypt emails c) Compress passwords d) Transmit passwords over HTTP

Correct Answer: a) Store passwords securely (irreversible transformation)

Explanation:
Hashing converts passwords to fixed-length values using algorithms like bcrypt, PBKDF2, or Argon2. Unlike encryption, hashing is one-way - the original password cannot be retrieved from the hash.

6. Which of the following is a GOOD password practice?

a) Using a password manager b) Writing passwords on sticky notes c) Reusing passwords across sites d) Sharing passwords via email

Correct Answer: a) Using a password manager

Explanation:
Password managers (like Bitwarden, 1Password) generate/store strong unique passwords, encrypted with a master password. They're more secure than memorization or written notes.

7. Salting in password hashing prevents:

a) Rainbow table attacks b) Brute-force attacks c) Phishing attacks d) SQL injection

Correct Answer: a) Rainbow table attacks

Explanation:
Salting adds random data to each password before hashing, making precomputed rainbow tables ineffective since each hash is unique even for identical passwords.

8. Which attack exploits reused passwords across multiple sites?

a) Credential stuffing b) Man-in-the-middle (MITM) c) DNS spoofing d) Cross-site scripting (XSS)

Correct Answer: a) Credential stuffing

Explanation:
Attackers use credentials leaked from one site to access other accounts where users reused passwords. Prevention: unique passwords per site and MFA.

9. Two-factor authentication (2FA) typically combines:

a) Something you know (password) + Something you have (OTP) b) Two passwords c) Two biometric scans d) Password + Security question

Correct Answer: a) Something you know (password) + Something you have (OTP)

Explanation:
True MFA requires different factor types: knowledge (password), possession (phone/OTP), and inherence (biometrics). Two passwords are still single-factor.

10. Which is NOT a valid MFA method?

a) Sending password via SMS b) Google Authenticator (TOTP) c) Hardware token (YubiKey) d) Fingerprint scan

Correct Answer: a) Sending password via SMS

Explanation:
SMS is insecure for MFA due to SIM swapping. Better options: authenticator apps (TOTP), hardware tokens (FIDO2), or biometrics. NIST deprecated SMS-based 2FA in 2016.

11. Time-based One-Time Password (TOTP) is generated using:

a) A shared secret + Current time b) Static password c) Public-key cryptography d) IP address

Correct Answer: a) A shared secret + Current time

Explanation:
TOTP (RFC 6238) combines a secret key with the current timestamp (typically 30-second windows) to generate temporary codes. Used by Google Authenticator, Microsoft Authenticator, etc.

12. MFA is effective against:

a) Stolen password attacks b) DDoS attacks c) Buffer overflows d) Cache poisoning

Correct Answer: a) Stolen password attacks

Explanation:
MFA mitigates credential theft since attackers need additional factors beyond just the password. It doesn't prevent DDoS, buffer overflows, or cache poisoning which target different vulnerabilities.

Password Security MCQs

Your Score: /12