Which Two Statements About Managing Accounts Are True

8 min read

If you’ve ever wondered which two statements about managing accounts are true, you’re not alone. It’s a question that pops up in certification exams, onboarding checklists, and casual conversations among folks who suddenly find themselves responsible for a handful of logins, passwords, and permissions. The answer isn’t always obvious because “managing accounts” can mean anything from keeping your personal email secure to overseeing thousands of corporate user profiles. Let’s untangle it together.

What Is Managing Accounts Really About?

At its core, managing accounts is the ongoing process of creating, maintaining, and retiring access to digital resources. Those resources might be email inboxes, banking portals, cloud storage, internal software, or even social media profiles. The goal is simple: make sure the right people can get in when they need to, and keep everyone else out.

When we talk about “statements about managing accounts,” we’re usually looking at claims like:

  • Regular password changes improve security.
  • Multi‑factor authentication (MFA) eliminates the need for strong passwords.
  • Disabling inactive accounts reduces attack surface.
  • Sharing credentials via email is fine if the message is encrypted.
  • Auditing access logs helps spot misuse early.

Some of those sound plausible, others feel off. The trick is to figure out which two hold up under scrutiny and why the rest fall short Simple, but easy to overlook. That's the whole idea..

Why It Matters / Why People Care

Getting account management right isn’t just a box‑ticking exercise. A single overlooked permission can lead to data leaks, financial loss, or reputational damage. On the flip side, overly strict controls frustrate users, slow down work, and push people to find workarounds that are even less secure It's one of those things that adds up..

Think about a small business owner who gives an assistant access to the company’s accounting software. If that assistant leaves and the account isn’t disabled, a former employee could still view payroll data. Or consider a college student who reuses the same password across campus email, a streaming service, and a banking app. One breach could cascade into multiple headaches.

Understanding which statements about managing accounts are true helps you prioritize effort. You’ll know where to spend time, where to push back on myths, and where to implement controls that actually move the needle on security and usability Small thing, real impact. But it adds up..

How It Works (or How to Do It)

Let’s break down the mechanics of effective account management into bite‑size pieces. Each piece addresses a common belief, and we’ll see which statements survive the test Turns out it matters..

### Regular Password Changes Improve Security

For years, security policies forced users to change passwords every 30, 60, or 90 days. The idea was that if a password got stolen, the thief would have a limited window to use it. Plus, in practice, frequent mandatory changes often lead to weaker passwords — people add a number, swap a letter, or write the new password on a sticky note. Modern guidance from NIST and other bodies now recommends only changing passwords when there’s evidence of compromise, not on a fixed schedule. So the statement “regular password changes improve security” is largely false in today’s context.

### Multi‑Factor Authentication Eliminates the Need for Strong Passwords

MFA adds a second layer — something you have (a phone token) or something you are (a fingerprint). It’s a powerful deterrent against stolen credentials. That said, if the first factor is a trivial password like “123456,” an attacker who manages to phish the second factor (think SIM‑swap or push‑notification fatigue) could still gain entry. Strong passwords remain important because they reduce the chance that an attacker ever gets to the second factor in the first place. Because of this, the claim that MFA removes the need for strong passwords is false.

### Disabling Inactive Accounts Reduces Attack Surface

An inactive account is a dormant doorway. Disabling — or better yet, deleting — accounts that haven’t been logged into for a defined period (say 90 days) shrinks the number of potential entry points. If no one is using it, there’s no legitimate reason for it to stay active, yet it still presents a target for credential stuffing, brute force, or exploitation of old vulnerabilities. This statement is true The details matter here..

### Sharing Credentials via Email Is Fine If the Message Is Encrypted

Even with encryption, sharing passwords through email introduces risk. Email accounts themselves can be compromised, forwarded accidentally, or stored in backups longer than intended. The safest approach is to use a dedicated password manager that allows secure sharing without exposing the raw credential. So this statement is false.

Short version: it depends. Long version — keep reading.

### Auditing Access Logs Helps Spot Misuse Early

Logs show who accessed what, when, and from where. m. from a foreign country, or an account that suddenly accesses files it never touched before. Early detection lets you respond before damage spreads. Regular review — whether manual or automated via SIEM tools — can reveal anomalies like a user logging in at 3 a.This statement is true.

So, the two true statements about managing accounts are:

  1. Disabling inactive accounts reduces attack surface.
  2. Auditing access logs helps spot misuse early.

Common Mistakes / What Most People Get Wrong

Even when people know the right principles, they often slip up in execution. Here are a few patterns I’ve seen repeatedly.

### Treating All Accounts the Same

Not every account carries the same risk. A senior executive’s email, a domain admin’s console, and a contractor’s temporary portal each need different levels of scrutiny. Applying a one‑size‑fits‑all policy — like forcing the same password complexity on a low‑risk blog login as on a financial system — wastes effort and can annoy users without adding real protection.

### Relying Solely on Password Policies

Complexity rules (mix of upper/lower, numbers, symbols) and expiration dates give a false sense of security. Attackers bypass them with phishing, keyloggers, or credential stuffing. If you stop at password rules and ignore MFA, monitoring, and user education, you’re leaving big gaps.

### Ignoring the Off‑boarding Process

When someone leaves a company or changes roles, their access should be reviewed immediately. Yet many organizations have a checklist that sits in a drawer, and accounts linger for weeks or months. That gap is a favorite target for insider threats and

Ignoring the Off‑boarding Process (continued)

When a former employee’s access is not revoked promptly, the window of opportunity for misuse widens dramatically. Day to day, attackers—whether external actors who have purchased a dismissed worker’s credentials on the dark web or disgruntled insiders—inherit a set of credentials that still grant legitimate‑looking access. The longer these accounts linger, the more they can be leveraged to move laterally, exfiltrate data, or establish persistent backdoors Worth keeping that in mind..

Why the gap exists

  • Manual checklists: HR and IT often rely on paper or spreadsheet‑based checklists that sit in a shared folder until “someone remembers” to act.
  • Role‑based inertia: Employees change titles but retain the same permissions, leading to “role creep” that goes unnoticed.
  • Legacy systems: Older applications may not support automated de‑provisioning, forcing teams to rely on periodic, error‑prone manual steps.

Practical steps to close the gap

Step Action Tools / Techniques
1. Trigger Integrate employee lifecycle events (off‑boarding, role change) into a central HRIS or workforce management system. HRIS APIs, Azure AD Sync, Okta Workforce Identity
2. Day to day, Identify Run a quarterly “access entitlement” scan that maps every user to the resources they can reach, flagging accounts with no business justification. Access governance platforms (e.g., SailPoint, OneIdentity), custom scripts using SCIM
3. Notify Automatically generate a ticket for the responsible security or IT team, attaching a risk score and required actions. Service‑desk integration (Jira, ServiceNow)
4. Still, Revoke Disable or delete accounts based on a policy (e. Plus, g. , 30‑day grace period for data retention, immediate revocation for privileged accounts). Even so, Azure AD Conditional Access, AWS IAM, LDAP account lockout
5. Day to day, Document Record the de‑provisioning action, the date, and the reviewer in a tamper‑evident log. Immutable audit logs, blockchain‑based attestation if high‑assurance is needed
6. Re‑evaluate After a set period, re‑run the entitlement scan to catch any “shadow” accounts that may have been created post‑off‑boarding.

Automating the heavy lifting

  • SCIM provisioning/de‑provisioning: Standardize on a SCIM‑enabled identity provider that can push and pull account states in real time.
  • Identity‑centric orchestration: Use platforms like AWS Step Functions or Azure Logic Apps to chain together HR events, entitlement reviews, and account actions.
  • Policy‑as‑code: Store revocation policies in Git, allowing version control and rapid rollback while ensuring compliance teams can audit changes.

By embedding these controls into the employee lifecycle, organizations eliminate the “checklist in a drawer” problem and dramatically reduce the window for credential abuse.

Wrapping Up: A Pragmatic Blueprint for Account Hygiene

The two statements we validated earlier—disabling inactive accounts and auditing access logs—remain the cornerstone of a strong account‑management program. Yet technical controls alone are insufficient; people, processes, and governance must align to close the gaps that attackers exploit.

Key takeaways

  1. Risk‑based prioritization – Treat high‑privilege accounts (executives, admins, contractors) with stricter controls than low‑risk service accounts. Tailor complexity, MFA requirements, and review frequency to the potential impact of compromise.
  2. Layered defense – Combine strong authentication (MFA), continuous monitoring, and automated de‑provisioning. Password policies are a baseline, not a panacea.
  3. Process automation – Integrate HR systems with identity providers to trigger account actions automatically, reducing human error and response time.
  4. Continuous validation – Conduct regular entitlement reviews, log analysis, and simulated attacks (e.g., phishing drills) to keep defenses sharp.
  5. Documentation and accountability – Keep immutable records of who reviewed what, when, and why. This not only satisfies compliance mandates but also provides forensic clarity when incidents occur.

When these practices are woven into daily operations, the attack surface shrinks, detection capabilities improve, and the likelihood of credential‑based breaches drops dramatically. In short, diligent account management isn’t just a checklist item—it’s a foundational pillar of a resilient security posture.

Newly Live

Just Published

Along the Same Lines

What Others Read After This

Thank you for reading about Which Two Statements About Managing Accounts Are True. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home