|Please note: This article was adapted from a blog posting in Karen N. Johnson’s blog on July 24, 2007.|
The password field is one data entry field that needs special attention when testing an application. The password field can be important (since accessing someone’s account can start a security leak), testers should spend more time on this essential field. Following is a brief discussion of different types of passwords.
Passwords: Salted, Mixed, Plain, and Cracked
A password field has to be strong enough to provide security. Following are several different types of password fields:
Salted passwords are passwords where random characters are added to the user’s passwords to improve security. These pseudo-random values are added to a password before the password is hashed and stored. From the point of view of an end-user there is no difference in creating or using the password field. The value of the salted password is the added protection it provides to the user and the system. A salted password is a stronger password that is much less vulnerable to brute-force and dictionary attacks.
|Mixed passwords are passwords requiring a mix of both alpha and numeric characters. The requirement might include mixed upper and lower case alpha characters as well as special characters. The rule-of-thumb is simple, the more characters in the password field and the more varied the mix, the stronger the password. For information on how long it takes to break a password see: Password Recovery Speeds.
The downside is, however, obvious. Better, longer, and more complex passwords are simply hard to remember. There are, however, tools that can help (see the sidebar about Password Safe).
Plain passwords are passwords that contain none of the variety outlined above that makes a password harder to crack. These are, of course, the easiest passwords to remember. They are also among the least secure. Because of this, many websites and applications do not allow plain passwords anymore.
Understanding passwords, their strength, and how they can be broken, is an essential skill for anyone who is going to be testing this field and functionality. Testing of passwords should be incorporated into the test plan for any application or website.
Good Password Resources