CompTIA Security+ Question L-80

A security administrator is reviewing the below output from a password auditing tool:
Which of the following additional policies should be implemented based on the tool’s output?

A. Password age
B. Password history
C. Password length
D. Password complexity

Answer: C

The output shows that all the passwords are either 4 or 5 characters long. This is way too short, 8 characters are shown to be the minimum for password length.