Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 23

Which of the following application software features is the least effective control to protect passwords?

Answer options

• A. Suspension of user IDs after a user's repeated attempts to sign on with an invalid password.
• B. Encryption of passwords prior to their transmission or storage.
• C. Forced change of passwords after a designated number of days.
• D. Automatic logoff of inactive users after a specified time period of inactivity.

Correct answer: C

Explanation

The correct answer is C, as forcing password changes after a set period can lead to weak passwords if users create easy-to-remember ones. In contrast, options A, B, and D provide more effective security measures by preventing unauthorized access, ensuring password confidentiality, and limiting session time, respectively.