Password security: What to test and how to improve your authentication mechanism?

password security testing
Reading Time: 3 minutes

        If passwords are used for authentication in your system or application, the security of the access and access rights management of the system is decisively dependent on the correct use of the passwords. When testing the password security mechanism, it is important to keep in mind that passwords must always be a practical compromise between the following security objectives:

  • the character combination of the password should be so complex that it’s not easy to guess

  • the maximum number of possible passwords (given the implemented algorithm) is large enough so that it cannot be determined in a short time by trial and error (brute force attack)

  • the password must not be too complex, so that the user is able to memorize it with reasonable effort

What to test for / How to improve password security practices?

        If you are testing your password authentication regulations or if you are trying to improve password security within your application/system/organization, the following checklist can be considered:

  • the password must not be easy to guess. Names, license plates, date of birth, etc., should not be used as passwords

  • a password should consist of uppercase letters, lowercase letters, special characters, and numbers. At least two of these characters should be used

  • if alphanumeric characters can be selected for the password, it should be at least 8 characters long (I would personally recommend at least 12 characters long)

  • the authentication system should block access after a few unsuccessful attempts (for a certain period of time or permanently)

  • preset passwords (for example the manufacturer when delivering systems) must be replaced by individual passwords

  • passwords must not be stored on programmable function keys

  • the password must be changed regularly, for example every 90 days

  • password change must be carried out if the password has become known to unauthorized persons or if the suspicion exists

  • old passwords should not be used after a password change

        The following boundary conditions should be also considered:

  • the choice of trivial passwords (for example, “CCCCCCCC”, “123456”, names, birth dates) should be prevented

  • each user must be able to change their own password at any time

  • users should be supported by an entropy measurement (display the password quality/strength) when changing passwords

  • for the initial registration of new users, initial passwords should be assigned, which must be changed after one-time use

  • in networks where passwords are transmitted in encrypted form, the use of one-time passwords is recommended

  • unsuccessful login attempts should be rejected with a short error message without specifying details. In particular, in the case of unsuccessful login attempts, it should not be possible to recognize whether the entered user name or the entered password (or both) are incorrect. After a predefined number of consecutive incorrect password entries for the same ID, the authentication system should block access (for a certain period of time or permanently)

  • when typing, the password should not be displayed on the screen

  • the passwords must be stored securely in the system, for example using one-way encryption (hash functions)

  • password change should be initiated regularly by the system

  • the system should be used to prevent old password passwords from being overwritten (Password history)

    Questions to keep in mind

        In order to have a high quality password authentication mechanism and to provide better password security for your users, keep in mind the following questions when you are testing:

  • Is there a binding regulation for the password use?
  • Are users instructed to use passwords of sufficient complexity that are appropriate to the protection requirements?
  • Are users instructed to keep their password secret?
  • Is it tested how many digits of the password are actually being checked by the IT system?
  • Are passwords changed at regular intervals?
  • Are passwords changed immediately as soon as they become known or suspected of unauthorized persons?
  • In the case of unsuccessful login attempts: Is it displayed if the username or password was incorrect?
  • In the case of X number of unsuccessful login attempts: Is the user account access blocked/suspended?

Be the first to comment

Leave a Reply

Your email address will not be published.