Cognitive passwords are fact or opinion-based information used to verify an
individual's identity. Passwords that can be used only once are one-time or dynamic passwords.
Password generators that use a challenge response scheme refer to token devices.
A passphrase is a sequence of characters that is longer than a password and is transformed into a
virtual password.
Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 2), /Documents/CISSP_Summary_2002/index.html.

An example of mobile code is Java and ActiveX code downloaded into a Web browser from the World Wide WeB. The other answers are incorrect because they are types of code that are not related to mobile code.

Explanation/Reference:
Explanation:
Organizations should have a process for (1) requesting, establishing, issuing, and closing user accounts; (2) tracking users and their respective access authorizations; and (3) managing these functions.
Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth. These reviews can be conducted on at least two levels: (1) on an application-by-application basis, or (2) on a system wide basis.
The strength of user passwords is beyond the scope of a simple user account management review, since it requires specific tools to try and crack the password file/database through either a dictionary or brute-force attack in order to check the strength of passwords.
Incorrect Answers:
A: A periodic review of user account management should determine conformity with the concept of least privilege.
B: A periodic review of user account management should determine whether active accounts are still being used.
D: A periodic review of user account management should determine whether management authorizations are up-to-date.