CompTIA CASP+ (CAS-004) — Question 129

A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password. Which of the following describes why this request is a security concern? (Choose two.)

Answer options

• A. The request is evidence that the password is more open to being captured via a keylogger.
• B. The request proves that salt has not been added to the password hash, thus making it vulnerable to rainbow tables.
• C. The request proves the password is encoded rather than encrypted and thus less secure as it can be easily reversed.
• D. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password.
• E. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access.
• F. The request proves the password must be in cleartext during transit, making it open to on-path attacks.

Correct answer: D, E

Explanation

The correct answers, D and E, highlight that requiring only specific characters of a password reduces the complexity for an attacker, as they only need to guess three characters instead of the entire 12-character password. Additionally, if the password can be accessed in a way that allows reading by bank employees, it indicates poor security practices in password storage.