Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 144

An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother's maiden name. When all of these are entered correctly, a new password is emailed to the user. Which of the following should concern the analyst the MOST?

The security answers may be determined via online reconnaissance.

The password is too long, which may encourage users to write the password down.

The password should include a special character.

The minimum password length is too short.

Correct Answer: A

The most concerning issue for the analyst is that the security answers (birthplace, birthdate, and mother's maiden name) may be easily determined via online reconnaissance. This is problematic because these pieces of information can often be found through social media profiles, public records, or other online searches. Once an attacker obtains this information, they can bypass the password and gain unauthorized access to the account. This vulnerability is more significant than the lack of a special character in the password requirements, which is a secondary issue in comparison.

Discussion

david124Option: A

these information can all get from online recon, so i'm sure 100% its A

FoxTrotDGOption: A

An attacker can potentially find the answers to the questions via online reconnaissance. No password policy can prevent that.

ripper69

Yes, and the attacker would need to intercept the e-mail for that, I'd say its C

FoxTrotDG

Wrong. Online reconnaissance refers to using online resources to gather details about a person (birthplace, birthdate, mother's maiden name). Examples include, social media platforms, public records, people search engines, data breaches, etc. Intercepting an e-mail is not required for that.

Ariel235788

yeah it can be reset, but "When all of these are entered correctly, a new password is emailed to the user." the attacker is not the user.

Serliop378Option: C

Not A since, even if the attacker perform some social engineering or OSINT to reset the password, he will have to also compromise the mail account !

angryelvisOption: C

I agree that the info required to reset the password is easily available and a problem but that still requires the bad actor to intercept the email in order to reset the password. As it stands, the questions doesn't say anything about the account locking out. If that was available I would choose that. Since it isn't, I'll take the next problem - C, the password isn't complex enough.

[Removed]Option: A

this is well known information that anybody can find online

GeofabOption: A

agree with A

AnnoyingIAGuyOption: A

A. This happened to the Alaskan Sen. Sarah Palin

chil7chil7Option: A

"A" can be found in FB

bobsmith69Option: A

Clearly A

ThatGuyOverThereOption: C

Initially I was thinking A but multiple people here pointed out the new password goes to the user's email address and doesn't just let them choose a new password. In light of that, I'm going with C.

tefyayaydu

The reasoning is if the type of information is easily retrievable from online recon then it isn't too far-fetch to think that the user's email is already compromised and any amount of password complexity will not help here. There is an earlier question that deals with password complexity and does not contain a special character as well. As the description for the answer stated the special character is not needed, so if we're referring to other questions then that helps vet answer 'A'.

Meep123Option: A

A: I don't believe the complexity of the password would matter if it can be reset more easily than trying to crack it.

Ariel235788

yeah it can be reset, but "When all of these are entered correctly, a new password is emailed to the user." the attacker is not the user.

ThatGuyOverThere

That's a good point.

tefyayaydu

Wouldn't matter if the attacker already has access to the user's email. Encountered this before in the real world with users, the password complexity is moot.

OneSaintOption: C

Analyst is evaluating the security of a web application, seems like Alphanumeric is what they are looking for.

Trap_D0_rOption: C

Gotta say C here--as many have pointed out, even if someone can reset the password it'll just go to email. And to everyone saying "Well what if their email is compromised?!" it's a non-sensitive application with no financial data and the security team doesn't have control over your personal email address. a 12 char password with 1 number and 1 cap would take almost no time to brute force. Requiring a special character makes the password exponentially (approximately x^10) more difficult to brute force.

armid

question did not say what email, could be corporate, could be personal. The analyst would know nothing about how the personal email is secured. Heck the person might even use the same security questions for password resets of his perosnal email. Answer A just feels much better

Ariel235788Option: B

I agree, you can get all this info online but whats the point unless you've already compromised the user email account? Also, I agree that a special character SHOULD be used, however I believe that anything 12 character+, you're running the risk of users writing down passwords (you should ALWAYS have this risk btw. Not all users care to memorize 8 char passwords). Since that's the most inherent risk, I'm choosing B