While reviewing the security controls in place for a web-based application, a security controls assessor
notices that there are no password strength requirements in place. Because of this vulnerability,
passwords might be easily discovered using a brute force attack. Which of the following password
requirements will MOST effectively improve the security posture of the application against these attacks?
(Select two)
A.
Minimum complexity
B.
Maximum age limit
C.
Maximum length
D.
Minimum length
E.
Minimum age limit
F.
Minimum re-use limit
The correct answers are Minimum complexity and Minimum length.
Adding minimum complexity requirements increases the base of every character, so instead of multiplying the possible passwords by 26 for every character if you only have a lower-case password, adding 26 for uppercase, 10 for digits, and 22 for special characters gives you base 84. That means a 12-character password has over a million times as many possibilities.
Adding minimum length requirements is even more dramatic. Assuming you have that base-84 complexity (using everything.) A six character password has 351 billion possible combinations, but an eight character password has over two quadrillion.
If you combine full complexity with a 16-character length, you have 3,641,719,026,648,810,000,000,000,000,000,000,000 possibilities.
2
0
wrong
0
1
c and e
0
0