CompTIA CASP+ (CAS-004) — Question 620

An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother's maiden name. When all of these are entered correctly, a new password is emailed to the user. Which of the following should concern the analyst the MOST?

Answer options

• A. The security answers may be determined via online reconnaissance.
• B. The password is too long, which may encourage users to write the password down.
• C. The password should include a special character.
• D. The minimum password length is too short.

Correct answer: A

Explanation

The correct answer is A because the recovery questions such as birthplace and mother's maiden name can often be easily discovered through social media or public records, making them insecure. Option B is incorrect as a longer password is generally more secure and less likely to be written down. Option C is also incorrect because while special characters can enhance security, the current requirements already provide a reasonable level of complexity. Option D is wrong because a minimum length of 12 characters is typically considered secure.