You have been asked to perform a security review of a vendor$-$hosted application that your organization is considering procuring. The system will contain sensitive$,$ private customer data, which your organization$$s workers will need to access and update from the field. Reviewing the documentation and examining a demonstration site from the vendor, you find the following:

The system uses a typical web$-$based architecture $($client browser, web front end server, database back end server$).$ The server stack is Microsoft $($IIS$,$ MS$-$SQL$),$ but the application was programmed in HTML$5$ so that it can be browser$-$agnostic.

Communications between the browser and the web server use HTTP on port TCP$/80$; communications between the web server and the database server use MS$-$SQL protocols on port TCP$/1433.$

The vendor$$s Internet gateway is protected by multiple layers of network protection: a network firewall, intrusion detection system, network antivirus, and a web application firewall. These are configured to monitor the authorized HTTP traffic to the web server and to block any other traffic.

Each user must have a unique username and create a strong password. If a user forgets his or her password, he or she can use a $$Forgot password?$$ link on the application to have the current password sent to his or her email address. Passwords are required to be $8-16$ characters in length and contain a mix of upper$-$ and lower$-$case letters, numerals, and symbols.

Every user transaction in the application is logged in a separate database, showing the transaction, what user account performed it$,$ when it occurred, and the IP address of the browser client. Only the vendor$$s database administrators have access to modify these audit logs$.$

Data input is validated at the browser using a normalization routine, prior to being sent to the web server.

Database fields containing sensitive data, including user passwords, will be encrypted in the database using AES$-256$ encryption.

The application servers are hosted in a SSAE$-16$ compliant datacenter.

To ensure availability, active$-$passive replication across a private network keeps redundant servers in a datacenter across the country constantly updated. If the primary datacenter becomes unavailable, it will take only seconds for the application to automatically switch to the secondary datacenter.

$14.$

Which of the following would you NOT suggest as a way of improving authentication for this system?

Hashing and salting the passwords in the database.

Introducing a second factor of authentication, such as a hardware or software token.

Storing the passwords using reversible encryption.

Allowing longer passwords.