Contact us
Blog

Protecting user passwords: security techniques and penetration testing

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you.
24 May 2018
Cybersecurity testing
The article by a1qa
a1qa

High-profile data breaches continue to hit the headlines. However, you may be surprised to know that most of the attacks do not take a lot of time or efforts. Weak passwords provide abusers with a lot of opportunities.

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. It is prepared by the a1qa Security Testing Center of Excellence engineers. After you finish reading it, you’ll learn:

  • Strong passwords – what are they?
  • What techniques can be implemented to increase the security of user accounts?
  • Can software testers detect security flaws before the real attackers do and eliminate them?

3 ways attackers steal passwords

Before talking about securing passwords, let’s list the ways the attacker may take to steal them. Generally, the password can be stolen directly from a user, from the service, or on its way from the client to the service.

Today, we’ll focus on the first option only as it is related to the password security, while two others deal with the web app vulnerabilities and the likelihood of the password being stolen has nothing to do with the password complexity.

So how can attackers break in?

  • Performing brute force attacks. Surprisingly, but most of the passwords can be guessed within a specific number of tries. By resorting to this method, hackers will use special tools to enter the password over and over again until it’s cracked. This hacking method is the easiest and least sophisticated.
  • Another option is to employ social engineering techniques to learn the user’s credentials, as the human weakness is much easier to penetrate than the network vulnerabilities. This method is more sophisticated and requires psychological skills from the hacker to sound trustworthy and make the victim reveal the data.
  • Also the attacker can peep the password at the victim’s working station, install the keylogger to monitor and register all keystrokes typed or simply find a sticker with the password.

You see it’s not that difficult to learn the password if you want to.

Password protection techniques

If the hacker prefers one of the two latter options, the dev team won’t be able to do anything to stop them. However, the first method can be prevented by implementing certain techniques at the software development stage.

Let’s name a few:

  • Implement CAPTCHA to prevent bots from automating logging and prove there is a human performing an action.
  • Require two-factor authentication with the help of other devices. For example, a user may be asked to enter the code received in an SMS. Another option is to generate a one-time password that will be valid for only one session or transaction.
  • You can also restrict a user after several unsuccessful login attempts. However, make sure you won’t block the user forever, just for some period of time.
  • Add controls to password minimum length and complexity.
  • Ideal password length is 8-12 symbols.
  • Make sure your users know that the password may incorporate numbers, Latin characters and special symbols ($, ?, !, <, ”, #, %, @, etc.).
  • The combination of number and letters (upper- and lower-case) is reasonable and reliable.

It’s NOT recommended to use:

  • Words that can be found in the dictionary as password-cracking tools
  • Adjacent keyboard combinations like qwerty, 123456789, qazxsw are also trivial to crack.
  • Personal data (first or last name, birth date, passport number, etc.) and also passwords from other services.

Inform your users that it’s also important to make a password that will be not difficult to remember. Most people tend to write long passwords down and stick it to the monitor, which increases the risk of the password being stolen.

You can also develop built-in notifications to remember your users to change the password once in every 90 days, for example.

Also, think about the actions that a user should take if his/her password has been stolen or he/she believes it has been.

What happens if there are no security techniques implemented: a real-world example

If there are any vulnerabilities in the security mechanisms, the abuser who has enough time and desire to get the password will make use of this vulnerability and sooner or later succeed. Getting access to the web site admin panel will enable the abuser to change the web site content.

In one of the projects our engineers were testing the mobile app. The app had a two-factor authentication and the user had to enter his phone number, get a code in an SMS and enter the 4-digit code to log in.

The first things the a1qa engineers paid attention to was that the code was made up of 4 digits, which gave them (and abusers) only 10000 of possible combinations to crack the password.

To make things worse, there was an error in the authentication process: the server didn’t block users after any number of unsuccessful login attempts.

Cracking the password with the specially developed script took our engineers only 15 minutes!

Here is Top Security Threats for Web Apps detected by the a1qa engineers: Part 1 and Part 2.

Penetration testing is a vital part of any effective security strategy

Pen testing allows to assess the security level of the system by running simulated attacks to detect possible entries for the abusers.

Professional pen testing process involves several stages.

At the very beginning, security testing engineers collect all information they can about the victim/client: names, emails, children names, nicknames in social media accounts, etc. Based on this information, dictionaries for password cracking are generated and used to crack passwords.

Social engineering emails, calls, face-to-face contact and other tests on people can be performed to ascertain if they are susceptible to an attack.

When to perform pen testing?

Penetration testing should start only after the application is ready and a full functionality test is completed.

Pen testing results:

  • Independent assessment of the system security level
  • Detection of all security weaknesses
  • List of recommendations to improve with the estimation of time and costs they will take to enable.

Is your users’ data secured? If you have any doubts, set up an obligation-free consultation with the a1qa security testing specialists.

More Posts

gaming-qa
24 August 2023,
by a1qa
4 min read
Ready, steady, test: How QA drives seamless gaming experiences
Why is QA pivotal for delivering unmatched player experiences? How to level up video game quality? Find the answers in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Quality assurance
Test automation
Usability testing
12jun202311
22 June 2023,
by a1qa
4 min read
The ins and outs of ensuring OSS/BSS software quality: a hands-on guide
The need for OSS/BSS’ flawless operation is undisputable, but how can we reach that goal? Inter alia, a1qa suggests focusing on delivering high software quality to the end users.
Cybersecurity testing
Functional testing
General
Performance testing
6-march-2023-1
21 March 2023,
by a1qa
4 min read
The ultimate QA guide for smoothly migrating to Web 3.0
Find out how businesses can seamlessly migrate to Web 3.0 by relying on quality assurance.
Cybersecurity testing
General
Performance testing
Usability testing
27 February 2023,
by a1qa
5 min read
Reaching HIPAA compliance for eHealth solutions through QA
We reveal HIPAA’s data safety benchmarks and shed light on how software testing may help in its conformity.
Cybersecurity testing
Software lifecycle QA
Mobile app testing
15 February 2023,
by a1qa
4 min read
Mobile app testing guide: win the race with five-star software
Which aspects of mobile apps to test first to produce a really high-quality product? Find the answer to this and other questions related to mobile app testing in the article.
Cybersecurity testing
Functional testing
Mobile app testing
Performance testing
Test automation
Usability testing
qa-trends-in-telecom
30 September 2022,
by a1qa
5 min read
4 telecom trends for 2023 and how to painlessly implement them with QA
It’s time to explore the telecom trends for the upcoming year. Let’s look at them together and also see the value that QA brings for their smooth deployment.
Cybersecurity testing
Migration testing
QA trends
Quality assurance
Test automation
black-friday
29 July 2022,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
30 June 2022,
by a1qa
4 min read
App software testing for telecom: What are the common issues telco providers face?
Facing problems with the quality of your telecom software products? Read more in the article and find out the ways to address them.
Cybersecurity testing
Performance testing
Test automation
20 June 2022,
by Alina Karachun
5 min read
Top-quality IoT solutions: 3 problems and ways to solve them
What quality aspects of IoT solutions are predominant to care about and why? Find the answers in the article.
Cybersecurity testing
IoT testing
Performance testing

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
This file is too large
Up to 5 attachments. File must be less than 5 MB.
Allowed types: jpg, jpeg, png, svg, pptx, pdf, doc, docx, ppt, odt
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.