Are Your Passwords Strong Enough? Advice from a Software Tester
- Nov 9, 2007
Breaking In
Hired to execute some light-level security testing for a website, I wanted to check out the site in more detail before visiting the client. I knew a little bit about the website, but not a lot, and thought I should prepare for the work by doing some exploring. I couldn’t view much on the website without an account. Since the client was a B2B, and an account on the website took quite a bit of information to get started, I couldn’t just create an account on the fly and look around. On a whim (or perhaps gut instinct), I randomly typed in something that sounded like a typical account name and password. Within seconds, I was logged into a production account. Intrigued and a bit frightened, I had unintentionally logged into someone’s account! And this wasn’t just any account, either; it belonged to a well-known Fortune 500 company.
I hadn’t even used any hacking tools, rainbow tables, or sophisticated methods. I had just guessed a likely account name and password, and I was logged in.
How would I explain to the client at the start of an engagement on security testing that I’d broken into one of their production client accounts the day before? But, now that I was logged in, I was a little curious to see what I could find out about the account. After all, what if I had bad intentions? I decided to explore a little. The link to My Account seemed like a great place to begin. Although the credit card information was obscured, I could still view details about the company that weren’t any of my business. Fearing that access logs might be recording my every move on the website, I logged out.
This experience specifically—and learning more about security testing in general—made me think about the significance of the password field. As a software tester, I test hundreds of data-entry fields, but the account name and password fields are not "just another pair of entry fields." Since many websites use email addresses for account names, and it can be easy to get someone’s email address, a single field—the password field—may end up being the gatekeeper to accessing an account.
Just how easy is it to crack a password? That depends on how strong the password is.
