Messages Can Leak Information
Cracking isn’t the only way someone can gain access to an application. Application messages are an area for which the Open Web Application Security Project (OWASP) provides some warnings:
- If a username/password attempt fails, make sure that the application doesn’t indicate which field—the account name or password—is in error. Instead, the login page should simply state that there’s an error, without detailing which field is at fault. Because you’ve purposely omitted which field is in error, anyone attempting to hack will have to work through both fields.
- Another opportunity to crack a password comes through "forgotten password" email messages. Forgotten password email should offer the chance to reset a password, rather than including the password in unencrypted text within the email message. The worst examples I’ve seen give the email the subject line "Your password," and the message contains the password in readable text. This aspect of testing can be forgotten easily, so I suggest testing all email that can be generated relative to account and password information. I ask developers for a list of all possible error messages, so I can test for the generation and content of all email.