After a security breach, which password policy upgrade would be most effective?

• A. Allowing common passwords for convenience
• B. An extended password minimum of 12 characters
• C. Ban common passwords and enforce complexity
• D. Increasing password expiry to one year

Answer: (C)

Enforcing a ban on common passwords and requiring password complexity is a highly effective upgrade to a password policy following a security breach. This approach significantly mitigates the risk of unauthorized access, as many attackers rely on guessing simple, well-known passwords that users frequently choose. By disallowing common passwords, organizations reduce the likelihood of successful brute force attacks.

Requiring complexity further strengthens passwords by introducing a combination of upper and lower case letters, numbers, and special characters, making them much harder to crack. This multifaceted strategy addresses one of the main vulnerabilities exploited during security breaches, namely weak password choices and predictable patterns.

While lengthening the minimum password requirement to 12 characters is beneficial, it does not address the potential of those passwords being easily guessed if they are also common. Likewise, increasing password expiry without addressing the fundamental weaknesses in how passwords are created only prolongs the potential for compromised accounts. Thus, the comprehensive approach of banning common passwords and enforcing complexity is a proactive measure that significantly enhances security post-breach.