While reviewing the security controls in place for a web-based application, a security controls
assessor notices that there are no password strength requirements in place. Because of this
vulnerability, passwords might be easily discovered using a brute force attack. Which of the
following password requirements will MOST effectively improve the security posture of the
application against these attacks? (Select two)
A.
Minimum complexity
B.
Maximum age limit
C.
Maximum length
D.
Minimum length
E.
Minimum age limit
F.
Minimum re-use limit
C and E
0
5
A and C
0
5
A and D
9
0
Chose the same 🙂
1
0
Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. Many companies implement this policy. It means A is right.
Password length determines the minimum number of characters your password should contain.
Note: The key term is minimum, not maximum. Many companies put minimum 8 characters. It means D is right and C is wrong.
The Maximum password age policy setting determines the number of days that a password can be used before the system requires the user to change it.
Note: It is a good idea, but it is not mandatory in many companies. Therefore, I would NOT pick B and E.
The password expiration setting determines that a user will not be able to log into a system without changing their password after the maximum password age has been reached.
Although it is NOT one of the choices, I list it here for reference.
Minimum re-use limit means Password history. It is good idea, but not as important as A and D.
My answer is A and D.
4
0
Lake and ser-sir are right. The correct answers are Minimum complexity and Minimum length.
Adding minimum complexity requirements increases the base of every character, so instead of multiplying the possible passwords by 26 for every character if you only have a lower-case password, adding 26 for uppercase, 10 for digits, and 22 for special characters gives you base 84. That means a 12-character password has over a million times as many possibilities.
Adding minimum length requirements is even more dramatic. Assuming you have that base-84 complexity (using everything.) A six character password has 351 billion possible combinations, but an eight character password has over two quadrillion.
If you combine full complexity with a 16-character length, you have 3,641,719,026,648,810,000,000,000,000,000,000,000 possibilities.
1
0
A and D
3
0
I have to agree with Jigga and pick my answers as C and E.
Password needs to be complex to the maximum possible (meaning we don’t limit or minimize the complexity; rather use all the means to make it complex – upper and lower case, numbers, special characters…)
The password to have Minimum length does the opposite of what is required. The age of the password is what needs to be minimum.
0
5
A and D
2
0
A and D.
When it comes to password strength to protect from brute force attacks you look at;
Password complexity (minimum complexity) and
Password length (minimum length)
re-use limit does not make a password strong.
2
0