ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 144 discussion

Actual exam question from CompTIA's CAS-004
Question #: 144
Topic #: 1
[All CAS-004 Questions]

An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother's maiden name. When all of these are entered correctly, a new password is emailed to the user. Which of the following should concern the analyst the MOST?

  • A. The security answers may be determined via online reconnaissance.
  • B. The password is too long, which may encourage users to write the password down.
  • C. The password should include a special character.
  • D. The minimum password length is too short.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by david124 at Sept. 29, 2022, 3:16 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
david124
Highly Voted 2 years, 6 months ago
Selected Answer: A
these information can all get from online recon, so i'm sure 100% its A
upvoted 8 times
...
angryelvis
Highly Voted 2 years, 3 months ago
Selected Answer: C
I agree that the info required to reset the password is easily available and a problem but that still requires the bad actor to intercept the email in order to reset the password. As it stands, the questions doesn't say anything about the account locking out. If that was available I would choose that. Since it isn't, I'll take the next problem - C, the password isn't complex enough.
upvoted 5 times
...
Trap_D0_r
Most Recent 1 year, 2 months ago
Gotta say C here--as many have pointed out, even if someone can reset the password it'll just go to email. And to everyone saying "Well what if their email is compromised?!" it's a non-sensitive application with no financial data and the security team doesn't have control over your personal email address. a 12 char password with 1 number and 1 cap would take almost no time to brute force. Requiring a special character makes the password exponentially (approximately x^10) more difficult to brute force.
upvoted 2 times
armid
9 months ago
question did not say what email, could be corporate, could be personal. The analyst would know nothing about how the personal email is secured. Heck the person might even use the same security questions for password resets of his perosnal email. Answer A just feels much better
upvoted 1 times
...
...
bobsmith69
1 year, 5 months ago
Selected Answer: A
Clearly A
upvoted 2 times
...
ThatGuyOverThere
1 year, 5 months ago
Selected Answer: C
Initially I was thinking A but multiple people here pointed out the new password goes to the user's email address and doesn't just let them choose a new password. In light of that, I'm going with C.
upvoted 2 times
tefyayaydu
1 year, 5 months ago
The reasoning is if the type of information is easily retrievable from online recon then it isn't too far-fetch to think that the user's email is already compromised and any amount of password complexity will not help here. There is an earlier question that deals with password complexity and does not contain a special character as well. As the description for the answer stated the special character is not needed, so if we're referring to other questions then that helps vet answer 'A'.
upvoted 1 times
...
...
Ariel235788
1 year, 6 months ago
Selected Answer: B
I agree, you can get all this info online but whats the point unless you've already compromised the user email account? Also, I agree that a special character SHOULD be used, however I believe that anything 12 character+, you're running the risk of users writing down passwords (you should ALWAYS have this risk btw. Not all users care to memorize 8 char passwords). Since that's the most inherent risk, I'm choosing B
upvoted 1 times
...
Meep123
1 year, 6 months ago
A: I don't believe the complexity of the password would matter if it can be reset more easily than trying to crack it.
upvoted 2 times
Ariel235788
1 year, 6 months ago
yeah it can be reset, but "When all of these are entered correctly, a new password is emailed to the user." the attacker is not the user.
upvoted 2 times
tefyayaydu
1 year, 5 months ago
Wouldn't matter if the attacker already has access to the user's email. Encountered this before in the real world with users, the password complexity is moot.
upvoted 1 times
...
ThatGuyOverThere
1 year, 5 months ago
That's a good point.
upvoted 1 times
...
...
...
Geofab
2 years ago
Selected Answer: A
agree with A
upvoted 3 times
...
FoxTrotDG
2 years, 1 month ago
Selected Answer: A
An attacker can potentially find the answers to the questions via online reconnaissance. No password policy can prevent that.
upvoted 5 times
ripper69
2 years ago
Yes, and the attacker would need to intercept the e-mail for that, I'd say its C
upvoted 2 times
FoxTrotDG
2 years ago
Wrong. Online reconnaissance refers to using online resources to gather details about a person (birthplace, birthdate, mother's maiden name). Examples include, social media platforms, public records, people search engines, data breaches, etc. Intercepting an e-mail is not required for that.
upvoted 1 times
Ariel235788
1 year, 6 months ago
yeah it can be reset, but "When all of these are entered correctly, a new password is emailed to the user." the attacker is not the user.
upvoted 2 times
...
...
...
...
Serliop378
2 years, 1 month ago
Selected Answer: C
Not A since, even if the attacker perform some social engineering or OSINT to reset the password, he will have to also compromise the mail account !
upvoted 4 times
...
OneSaint
2 years, 1 month ago
Selected Answer: C
Analyst is evaluating the security of a web application, seems like Alphanumeric is what they are looking for.
upvoted 2 times
...
AnnoyingIAGuy
2 years, 2 months ago
A. This happened to the Alaskan Sen. Sarah Palin
upvoted 3 times
...
chil7chil7
2 years, 4 months ago
Selected Answer: A
"A" can be found in FB
upvoted 3 times
...
[Removed]
2 years, 5 months ago
Selected Answer: A
this is well known information that anybody can find online
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago