Password stealing, secret possession of private data have become a common thing on the Internet, made by unfair users.
Numerous objects and virtual systems are at risk (social networks, mail agents, verified accounts, and so on).
This article contains useful information on a proper way of testing passwords on websites and also protecting yourself and your personal data from hacking and stealing.
How can cybercriminals get your password?
Before we start talking about passwords, we need to understand a way of stealing them.
A password can be stolen from users, web services, or on a path from a client to a service.
Now let’s talk about the first variant since it belongs to password security.
Other variants are connected with vulnerabilities of web systems and encryption of information in case if the possibility of stealing a password doesn’t depend on its nominal complexity.
So an intruder can do the following to steal your password:
- Try to directly go through identification information of a possible victim;
- Use social engineering (for example, call and name himself/herself as a bank’s worker, use mailing, etc.);
- Use a physical method, by installing a key logger on a local PC of a possible victim.
What are the ways to protect passwords?
If the efficiency of implementing the last two points directly depends on users, you can block automatic going through passwords at the stage of software development, by using the following methods:
- Using CAPTCHA. During verification, a user also needs to enter special symbols from special images;
- Two-step authentication, using various tools and systems. For example, send an SMS to a user’s mobile device to authorize in software or ask to use an online one-time password generator;
- Temporary limiting a user when he/she tries to log in several times. For example, a user’s account can be blocked for 10-20 minutes after three unsuccessful tries;
- Establishing special requirements for passwords.
What are good examples of passwords?
- A strong password should contain from 8 to 12 symbols;
- A user’s password should contain either numbers, Latin symbols, or special symbols;
- A unique combination of letters and numbers (both uppercase and lowercase letters).
Instruction on how to test password reliability/penetration testing
You can check the current level of security of information systems only by using QA consulting on web penetration.
At the first stages of testing, QA specialists passively collect data about possible victims: initials, emails, social accounts.
And templates of emails and special dictionaries to go through passwords can be formed on the basis of such information.
Common methods of social engineering are used while these tests are being executed.
QA engineers use mailing and try to get the necessary information from test users.
They can also use other ways to “interact with an Internet victim”: physical contact, a phone call, and so on.
The main thing is that this testing should be performed in an environment that is as close to real conditions as possible.