A Primer on Passwords

Please note: This article was adapted from a blog posting in Karen N. Johnson’s blog on July 24, 2007.

Introduction

The password field is one data entry field that needs special attention when testing an application. The password field can be important (since accessing someone’s account can start a security leak), testers should spend more time on this essential field. Following is a brief discussion of different types of passwords.

Passwords: Salted, Mixed, Plain, and Cracked

A password field has to be strong enough to provide security. Following are several different types of password fields:

Salted Passwords

Salted passwords are passwords where random characters are added to the user’s passwords to improve security. These pseudo-random values are added to a password before the password is hashed and stored. From the point of view of an end-user there is no difference in creating or using the password field. The value of the salted password is the added protection it provides to the user and the system. A salted password is a stronger password that is much less vulnerable to brute-force and dictionary attacks.

Mixed Passwords

Mixed passwords are passwords requiring a mix of both alpha and numeric characters. The requirement might include mixed upper and lower case alpha characters as well as special characters. The rule-of-thumb is simple, the more characters in the password field and the more varied the mix, the stronger the password. For information on how long it takes to break a password see: Password Recovery Speeds.

The downside is, however, obvious. Better, longer, and more complex passwords are simply hard to remember. There are, however, tools that can help (see the sidebar about Password Safe).

Need Help Remembering Passwords?

Password Safe is a free utility for storing passwords. The “safe” itself is password protected with a very strong password helping to keep all of your stored passwords safe.

Plain Passwords

Plain passwords are passwords that contain none of the variety outlined above that makes a password harder to crack. These are, of course, the easiest passwords to remember. They are also among the least secure. Because of this, many websites and applications do not allow plain passwords anymore.

Conclusion

Understanding passwords, their strength, and how they can be broken, is an essential skill for anyone who is going to be testing this field and functionality. Testing of passwords should be incorporated into the test plan for any application or website.

Good Password Resources

Karen N. Johnson

Karen N. Johnson is an independent software test consultant. She is a frequent speaker at software testing conferences and is an active participant in several software testing workshops. She serves as a Director on the Board for the Association for Software Testing and is a panel expert on Tech Target’s web site www.searchsoftwarequality.com. For more information about Karen, visit http://www.karennjohnson.com/.

Karen N.Johnson
Karen N. Johnson is a longtime active contributor to the software testing community. Her work is often centered on helping organizations at an enterprise level. Her professional activities include speaking at conferences both in the US and internationally. Karen is a contributing author to the book, Beautiful Testing by O’Reilly publishers. She is the co-founder of the WREST workshop, the Workshop for Regulated Software Testing. She has published numerous articles; she blogs and tweets about her experiences. Find her on Twitter as @karennjohnson (note the two n’s) and her website: http://www.karennicolejohnson.com. Karen is Director Jamf Now, Development & Delivery at Jamf. See: https://www.jamf.com

The Related Post

Regardless of the method you choose, simply spending some time thinking about good test design before writing the first test case will have a very high payback down the line, both in the quality and the efficiency of the tests. Test design is the single biggest contributor to success in software testing and its also ...
This article was originally featured in the May/June 2009 issue of Better Software magazine. Read the entire issue or become a subscriber. In my travels, I’ve worked with a number of companies that have attempted to assess the quality of their testing — or worse, their testers — using poorly considered metrics. Sometimes the measurement ...
From cross-device testing, to regression testing, to load testing, to data-driven testing, check out the types of testing that are suitable for Test Automation. Scene: Interior QA Department. Engineering is preparing for a final product launch with a deadline that is 12 weeks away. In 6 weeks, there will be a 1 week quality gate, ...
In today’s mobile-first world, a good app is important, meaning an effective Mobile Testing strategy is  essential.  
Companies generally consider the software they own, whether it is created in-house or acquired, as an asset (something that could appear on the balance sheet). The production of software impacts the profit and loss accounts for the year it is produced: The resources used to produce the software result in costs, and methods, tools, or ...
This article was developed from concepts in the book Global Software Test Automation: Discussion of Software Testing for Executives. Quality cost is the sum of all costs a company invests into the release of a quality product. When developing a software product, there are 4 types of quality costs: prevention costs, appraisal costs, internal failure ...
The key factors for success when executing your vision.   There is an often cited quote: “…unless an organization sees that its task is to lead change, that organization—whether a business, a university, or a hospital—will not survive. In a period of rapid structural change the only organizations that survive are the ‘change leaders.’” —Peter ...
People who follow me on twitter or via my blog might be aware that I have a wide range of interests in areas outside my normal testing job. I like to research and learn different things, especially psychology and see if it may benefit and improve my skills and approaches during my normal testing job. ...
They’ve done it again. Gojko Adzic, David Evans and, in this book, Tom Roden, have written another ‘50 Quick Ideas’ book. And this one is equally as good as the previous book on user stories. If not even better.  
LogiGear Magazine March Issue 2018: Under Construction: Test Methods & Strategy
Reducing the pester of duplications in bug reporting. Both software Developers and Testers need to be able to clearly identify any ‘Bug’, via the ‘Title’ used for the ‘Bug Report’.
Plan your Test Cases with these Seven Simple Steps What is a mind map? A mind map is a diagram used to visually organize information. It can be called a visual thinking tool. A mind map allows complex information to be presented in a simplified visual format. A mind map is created around a single ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop with the lastest
software testing news

Subscribe