Blog

Protecting user passwords: security techniques and penetration testing

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you.
24 May 2018
Cybersecurity testing
Article by a1qa
a1qa

High-profile data breaches continue to hit the headlines. However, you may be surprised to know that most of the attacks do not take a lot of time or efforts. Weak passwords provide abusers with a lot of opportunities.

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. It is prepared by the a1qa Security Testing Center of Excellence engineers. After you finish reading it, you’ll learn:

  • Strong passwords – what are they?
  • What techniques can be implemented to increase the security of user accounts?
  • Can software testers detect security flaws before the real attackers do and eliminate them?

3 ways attackers steal passwords

Before talking about securing passwords, let’s list the ways the attacker may take to steal them. Generally, the password can be stolen directly from a user, from the service, or on its way from the client to the service.

Today, we’ll focus on the first option only as it is related to the password security, while two others deal with the web app vulnerabilities and the likelihood of the password being stolen has nothing to do with the password complexity.

So how can attackers break in?

  • Performing brute force attacks. Surprisingly, but most of the passwords can be guessed within a specific number of tries. By resorting to this method, hackers will use special tools to enter the password over and over again until it’s cracked. This hacking method is the easiest and least sophisticated.
  • Another option is to employ social engineering techniques to learn the user’s credentials, as the human weakness is much easier to penetrate than the network vulnerabilities. This method is more sophisticated and requires psychological skills from the hacker to sound trustworthy and make the victim reveal the data.
  • Also the attacker can peep the password at the victim’s working station, install the keylogger to monitor and register all keystrokes typed or simply find a sticker with the password.

You see it’s not that difficult to learn the password if you want to.

Password protection techniques

If the hacker prefers one of the two latter options, the dev team won’t be able to do anything to stop them. However, the first method can be prevented by implementing certain techniques at the software development stage.

Let’s name a few:

  • Implement CAPTCHA to prevent bots from automating logging and prove there is a human performing an action.
  • Require two-factor authentication with the help of other devices. For example, a user may be asked to enter the code received in an SMS. Another option is to generate a one-time password that will be valid for only one session or transaction.
  • You can also restrict a user after several unsuccessful login attempts. However, make sure you won’t block the user forever, just for some period of time.
  • Add controls to password minimum length and complexity.
  • Ideal password length is 8-12 symbols.
  • Make sure your users know that the password may incorporate numbers, Latin characters and special symbols ($, ?, !, <, ”, #, %, @, etc.).
  • The combination of number and letters (upper- and lower-case) is reasonable and reliable.

It’s NOT recommended to use:

  • Words that can be found in the dictionary as password-cracking tools
  • Adjacent keyboard combinations like qwerty, 123456789, qazxsw are also trivial to crack.
  • Personal data (first or last name, birth date, passport number, etc.) and also passwords from other services.

Inform your users that it’s also important to make a password that will be not difficult to remember. Most people tend to write long passwords down and stick it to the monitor, which increases the risk of the password being stolen.

You can also develop built-in notifications to remember your users to change the password once in every 90 days, for example.

Also, think about the actions that a user should take if his/her password has been stolen or he/she believes it has been.

What happens if there are no security techniques implemented: a real-world example

If there are any vulnerabilities in the security mechanisms, the abuser who has enough time and desire to get the password will make use of this vulnerability and sooner or later succeed. Getting access to the web site admin panel will enable the abuser to change the web site content.

In one of the projects our engineers were testing the mobile app. The app had a two-factor authentication and the user had to enter his phone number, get a code in an SMS and enter the 4-digit code to log in.

The first things the a1qa engineers paid attention to was that the code was made up of 4 digits, which gave them (and abusers) only 10000 of possible combinations to crack the password.

To make things worse, there was an error in the authentication process: the server didn’t block users after any number of unsuccessful login attempts.

Cracking the password with the specially developed script took our engineers only 15 minutes!

Here is Top Security Threats for Web Apps detected by the a1qa engineers: Part 1 and Part 2.

Penetration testing is a vital part of any effective security strategy

Pen testing allows to assess the security level of the system by running simulated attacks to detect possible entries for the abusers.

Professional pen testing process involves several stages.

At the very beginning, security testing engineers collect all information they can about the victim/client: names, emails, children names, nicknames in social media accounts, etc. Based on this information, dictionaries for password cracking are generated and used to crack passwords.

Social engineering emails, calls, face-to-face contact and other tests on people can be performed to ascertain if they are susceptible to an attack.

When to perform pen testing?

Penetration testing should start only after the application is ready and a full functionality test is completed.

Pen testing results:

  • Independent assessment of the system security level
  • Detection of all security weaknesses
  • List of recommendations to improve with the estimation of time and costs they will take to enable.

Is your users’ data secured? If you have any doubts, set up an obligation-free consultation with the a1qa security testing specialists.

More Posts

2 December 2024,
by a1qa
6 min read
Addressing 4 security issues for digital transformation programs
Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity.
Cybersecurity testing
black-friday
5 November 2024,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
QA for retail software
29 August 2024,
by a1qa
4 min read
QA to address key pain points in retail 
Explore how QA helps address the main challenges that retailers face when developing software.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
QA for fintech
7 May 2024,
by a1qa
5 min read
Navigating the fintech frontier in 2024: QA’s role in delivering high-quality financial software 
Unveil the future of fintech innovations and learn to refine their quality with the help of software testing.
Blockchain app testing
Cybersecurity testing
Quality assurance
Telecom trends 2024
15 April 2024,
by a1qa
5 min read
QA’s role in adopting telecom trends for 2024 
Let’s dive into the transformative trends set to redefine the telco industry in 2024 and discover QA strategies to adopt them with precision.
Cloud-based testing
Cybersecurity testing
Functional testing
General
Migration testing
Performance testing
QA trends
Quality assurance
Test automation
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
15 February 2024,
by a1qa
4 min read
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
Generative AI, cybersecurity, AR/VR — come and explore how these trends are reshaping the future of healthcare and how QA helps implement them with confidence.
Cybersecurity testing
Functional testing
Performance testing
QA trends
Navigating the future: QA trends that will define 2024. Part 2
30 January 2024,
by a1qa
4 min read
Navigating the future: QA trends that will define 2024. Part 2
We continue exploring QA trends, helping businesses remain competitive in 2024.
Cloud-based testing
Cybersecurity testing
QA trends
Quality assurance
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
8 December 2023,
by a1qa
3 min read
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
From dissecting novel industry trends to navigating effective ways of enhancing software quality — let’s recall all a1qa’s roundtables. Join us!
Big data testing
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
QA trends
Quality assurance
Test automation
Usability testing
Web app testing
6 top reasons why business should invest in software quality
9 November 2023,
by a1qa
4 min read
6 top reasons why business should invest in software quality
We congratulate you on the World Quality Day with the article by Alina Karachun, Account director at a1qa, having 10+ years of QA expertise. Delve into it to explore the reasons why businesses should prioritize software quality.
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
Quality assurance

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.