The basic theory is that the stronger the password, the longer it takes to crack that password. Any password can be cracked; it’s just a matter of how long it takes. As a software user, I should create passwords that have an interesting mix of alphabetic and numeric characters (and special characters such as symbols, if they’re accepted by the application). If case is distinguished, mixing upper- and lowercase letters is also helpful. And I should use the longest password that the application accepts, because the longer the password, the longer it might take to crack that password. However, a long, unsophisticated password provides no more protection than a short, more obvious password. For example, using my email address for the password might be a long password, but a fairly easy one to crack.
As a software tester, I need to work for a suitable level of password requirements for the application and type of data I’m trying to protect. I’m also trying to protect the customer when I work in software development, though most customers don’t even know that I exist. These are some of the rules I advocate:
- If an application is web accessible and contains important or sensitive information (such as financial data, social security numbers, or health records), I lobby for stringent password requirements. If the information the application contains isn’t particularly important or sensitive, an average, "wimpy" password might be good enough.
- Password information should be stored in encrypted form in the database.
- Information stored in cookies should be checked carefully. No personal or account information should be stored in plain text. When I’m testing a website, I make a point of knowing what information is stored in the site’s cookie.
- The login process should take place on an SSL page.
Some of these checkpoints sound obvious, but have been missing or defective in web applications I’ve tested.
So what makes a good password? From a testing or requirements perspective, the characteristics I’ve just mentioned—a long password (8–20 characters), with a mix of upper- and lowercase, alphabetic, numeric, and special characters—increase the strength of a password.