A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password. Which of the following describes why this request is a security concern? (Choose two.)
Requiring specific characters of the password rather than the whole password lowers the security because an attacker only needs to guess or brute force a smaller part of the password, making it significantly easier (D). Additionally, the ability of the system to verify specific characters of the password suggests that the password is stored in a reversible format. Secure systems generally store passwords as hashes, which are not easily reversible, so being able to retrieve specific characters implies a less secure storage method (E).
The request to enter specific characters of the password rather than the full password may be a security measure intended to make it more difficult for an attacker to gain access to the account by guessing the password. However, it also means that a potential attacker only needs to be able to guess or brute force three characters of the password rather than all 12 characters. In addition, the fact that the system is able to retrieve specific characters of the password suggests that the password is stored in a reversible format, which means that it can be read by anyone who has access to it
There's not enough information to prove the password is stored in a reversible format. The bank could be using a secure method to store and verify password characters without storing the password reversibly
This is not possible. If the password was not reversible, it would be impossible to prove that the characters entered are in their required positions. I think your line of thought is that the person was issued a password and the password somehow still resided in memory but this is not the case, even with the most trivial applications (would be voted worse design ever in history). More than likely the password went through the normal type of steps of being randomly generated and assigned. The data when entered by the user will be encrypted (via TLS) to the server. From there, multiple ways exist on authenticating the data but to do so it is undeniable that the password 'must' be reversible or it is impossible to know that the submitted info is valid and might as well have the application simulate rolling dice to determine if it passes.
D,E is the correct answer
I got the wrong at first but D and E seem correct.
I'm going with A and D. D is self-explanatory, and here's my reasoning for A: Over time, if the same user is repeatedly prompted to input different characters from the password, an attacker using a keylogger may be able to piece together the entire password
I get the rationale however take the question as a here and now" scenario. Only putting in three characters actually protects against keyloggers
Not every security situation is a "here and now" scenario. Think of APT and how long those bad actors are willing to wait for an opportunity.
FoxTrotDG actually makes a very valid point because my foreign bank does exactly that. Each time I log in it asks for a different order and if a keylogger records what character was used for a particular position, it can eventually lead to giving up the entire password or at least minimize the number of attempts to brute force the password. I now know that I should change that password more often than normal because of that possibility.
A keylogger could grab an entire password just as easily as 3 characters. So, at worst, having the user only type in 3 characters slows down the effectiveness of a keylogger.
Not only that, but keyloggers more than likely wouldn't be at the top of a concern list here due to password managers being so heavily utilized. Keyloggers are still a concern, just three characters to brute force is so tiny that it's more liable to affect 'everyone' than the 'few' people that may have a keylogger on their system.
D. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password. Correct. By requesting only specific characters, an attacker would need to guess or brute force only a subset of the password (e.g., 3 out of 12 characters), significantly reducing the complexity and increasing the vulnerability. E. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access. Correct. The fact that the system can request specific characters of the password implies that the password is stored in a reversible format (e.g., plain text or encrypted but reversible), which is a significant security concern. Secure systems typically store passwords in a hashed format that does not allow for easy extraction of individual characters.
why not CE? I dont see how this method is easy to bruteforce, assuming every time you log in, you are asked for different character positions. OR is this suggesting that 3., 8. and 11. character is asked EVERY single time? That'd be dumb.
I agree with D like the majority of everyone here, but I'm surprised no one here has considered F. In a secure system, passwords are typically hashed or encrypted on the client side (the device where the user is entering the password) before being transmitted to the server. However, when a system asks for specific characters of the password, it implies that the server needs to compare those characters directly with the stored password. This comparison cannot occur if the password is fully hashed or encrypted because the server wouldn't be able to retrieve the original password characters for the comparison. This leads me to believe that those specific characters are plaintext. Going with DF here, unless someone has more insight.
Nothing in the question can provide proof of information regarding the encryption and hashing that is being used. Honestly, this question is one of those poorly worded and given scenario's from CompTIA. We are given the characteristics of the password and asked what concerns there are. Obviously, the password is more exposed to brute force because there are only three characters. Nothing really determines how this password is stored or the encryption that is being used, which makes it hard to go with E or D. A - Key logging could be an answer but an attacker can "always" keylog, so how is that relevant to the information that we are provided? Because we aren't given a hash or encryption, it really only seems that A and D are the correct answers...
AD. peeps
but if you have to enter 3 characters and the password is 12 digits then there are still 9 characters unaccounted for. How would that make it D?
ignore me, i misread and am talking complete crap. Definitely D and... something else