Passwords: salted, mixed, plain, and cracked

The password field is one data entry field I often fly past on my way to testing an application. But maybe I should slow down and spend more time on this essential field. After all, if I can access an application as another user I may have found the most important defect in the application.

The password field has to be strong enough to provide security.

Salted passwords are passwords where random characters are added to the user’s passwords to improve security. From a user’s perspective there is no difference in creating or using the password field. The beauty and value of the salted password is the added protection provided to the user and the system. This blog entry provides the best explanation I’ve seen of salting.

Mixed passwords are passwords requiring a mix of alpha and numeric characters alternately the requirement might include mixed upper and lower case and allow special characters as well. The more characters accepted in the password field and the more varied the mix, the stronger the password. Take a look at how long your password might stand up to cracking. But better passwords are simply hard to remember.

I recently found a utility (and presented this in a lightening talk at CAST 2007) that’s been solving the memory headache for me. Password Safe is a free utility you can use to store your passwords. And yes, the safe is password protected with one of the strongest password requirements I’ve ever used.

Plain passwords are passwords that contain none of the variety that makes a password harder to crack. While most websites don’t allow plain passwords anymore the greater security risk comes through the forgotten password email.

As I use passwords, I’m becoming increasingly mindful of stronger passwords. Here’s a password checking site to check the strength of a password. Or better don’t test your specific password but test a password similar to the one you plan to use. The more I read about password cracking, the more I’m not being paranoid, I’m thinking preventative – a topic I’ll be addressing at my presentation at EuroStar.

This entry was posted in security testing. Bookmark the permalink.