The term of a password was commonly used as a way to protect something from something, for example, in the past – to enter a city and move freely throughout its territory.
Today passwords are used to protect the physical information and also digital data which can be stored on the hard drive, mobile devices and websites, of course.
A password is a notional alphabetic/numeric value used to verify a person and/or its responsibilities. They are used to protect personal information from unauthorized access.
Today in the IT field, there is no correct way to create the passwords, therefore every website whose system needs user verification identifies itself what format and type of a password should be used.
There are media resources which don’t need something extraordinary accepting a minimum set of symbols and signsб and some of them request too much.
Sometimes we can meet on the net the conditions of password creation– from eight symbols ending in a special symbol and also a few digits and uppercase letters.
Obviously, it’s a very good and even correct requirement for a system but such protection can become an unsolved task for a user. There is a risk for him/her to forget the password in a few hours after creating the one which meets such requirements.
A perfect password field shouldn’t contain limitation for entering a particular number of symbols but it should contain a properly formed hint to tell a user how complex and complicated is the password he/she created. If there is no limitation of entering the uppercase and lowercase letters and also special symbols, this will protect a client from intruders who will have difficulty in finding a correct combination of values.
But actually, it happens sometimes that not all users correctly use their imagination, frequently creating unsolved tasks for themselves.
The list of the most popular passwords which are not recommended to use
Analysts of the Internet communities have created the list of 10 most popular passwords which shouldn’t be used to protect the personal data on the net. Unfortunately, the cases of using a few combinations from the following list happen permanently:
If we analyze this list, we will be sure that it’s the worst way to use passwords which consist of a trivial set of digits and short phrases. In comparison with them, even a simple combination of 12345678qwerty seems to be quite a good protection against cybercriminals.
This means that it’s very important to create complex passwords consisting of a few types of symbols and ideally – not using complete sentences.
If you have problems while creating such a password, you can find numerous online generators on the net. For example, the Google Chrome web browser offers a few variations of secure passwords on the sign-up page of its service.
Having a basic understanding of what a password should be and what function does it perform, we can move to testing the password entry fields.
Besides trivial checks, such as the process of aligning the fields, height, and width of a field, we should also mention the following recommendations on testing the passwords and other entry fields.
The steps of password testing
Testing the validation
Before you start testing the passwords, you should ask what specific rules of validation have been integrated by the developers on the project. We mentioned above that some category of websites has its own personalized understanding of a correct field, therefore you shouldn’t write a message that “the password consisting of 6 digits is not accepted” in a bug report unless it is mentioned in the specification established on the project.
A necessity to fill the field
You should always check the work of the “Password” and “Confirm password” fields. You should also pay attention that these fields must accept the same value. We can often meet the websites where the “Confirm password” field woks improperly and has incorrect validation.
Hiding of entry symbols
Information in the Password field should be displayed on a screen in a form of circles, dots or stars. Also, at the right of the password entry field, a special icon should be displayed. It is responsible for switching on/off the function of password displaying and its work should be also checked for validity.
As for the icons, we should check the work of password entering on various browsers since Safari browser, for example, has a special icon to substitute the password. If a developer has missed such a thing, this icon can easily overlap the nearby icon which is responsible for displaying/hiding a password.
Password entry field can be present not only on the Sign-up page but also on a web page where the user data can be edited. A good practice is a logic of saving the clients’ old passwords in a database when a website’s system doesn’t allow changing the password to the one which was previously used. To keep a high level of security, it’s also important that every new password of a client is different from the previous one and is unique within one account.
Displaying the requirements for entering
If a website system has its own requirements for entering a password, for their comfortable perception from the side of a client, they should be located directly next to the password entry fields. It’s not usable when a client knows about an error of value entry before these conditions were shown.
Validation before and after sending a filled form
Before you start testing, you should ask at what stage the process of validation should be made. There are still websites whose password entry forms show pop-up hints with particular errors a client has made.
The level of complexity
Sometimes we may meet the forms whose structure contains a special complexity identifier which stimulates a client to create a very complex password for better protection of a personal web account. To check the level of complexity, you should test what is taken into account to verify the complexity – only a number of symbols or also their variety and types.
Overview of proactive Password Auditor
More than half of Internet users prefer to use short, easily memorized passwords and it’s very hard to wean them from this practice.
And all admins of local networks can only check the resistance of such passwords and change them to ones that are more resistant to hacking. Proactive Password Auditor product (hereinafter – PPA) was created specially to perform testing of a level of password protection inside the Windows environment. It quickly finds the created accounts with the passwords unstable to the process of choosing and is programmed to restore the passwords which were forgotten by the clients.
This product has some peculiarities which are absent in relevant and similar web applications. For example, during simultaneous testing of a big number of clients’ accounts (strictly on NTLM hashes), the speed of functioning of PPA is 2-4 times higher than the one of similar rivals, and this was confirmed more than 1 time by an independent commission of web developers.
In contrast to some type of software that can’t dump the hashes, PPA supports all popular types of getting the password hashes (for future attacks) for today:
- From the register of a local PC:
- From the memory of a local PC or a remote client:
- From the file of Security Account Manager or its backup;
- From the created dump files which were received by pwdump2 и pwdump3 applications.
We will also mention that this program can take out all the hashes directly from the Windows system files. Moreover, some part of the system files is automatically deciphered right here – it’s a unique feature of this software.
Right after receiving the hashes for every account, PPA analyzes the content of a password (LM+NTLM) and then a system admin or a client can choose the best method of password recovering appropriate for him/her – LAN Manager or NTLM (NTLM attack).
We should also point out that it’s better to test and check the resistance on a few active accounts using the same hash – for 1 cycle of functioning according to the established algorithm, this software will spend the same amount of time either on checking one account or on testing hundreds of various accounts.
To find the passwords, we can use one of 4 available types of attacks:
- Brut-force – an attack of a method of complete choosing;
- Mask – an attack on a mask if a part of a password is known;
- Dictionary – attack by a randomly connected dictionary;
- Rainbow – an attack on the basis of previously calculated table values.
Any type of attack mentioned above can be easily accelerated if we build it in a proper way.
We can mention in the configurations a maximum value of a password and also establish one of a few symbols for choosing and set a custom set.
In a mask mode, we can establish a primary password. What is good is that a value of a primarily entered password, while the software is functioning, will be constantly changing, and after a break, the work will continue from the last point (if we, of course, won’t forget to save the project – in manual and automated mode).
We should start checking the weakness of passwords according to the dictionary – in this case, such passwords as “user 12” or “home” will be found in a few minutes. We should mention that you can use the dictionary on any language including Russian.
Primarily, a program contains only English dictionary with 243 thousands of words and we can also upload other languages from the Internet. Further, we can move to a direct attack and build the hacking in such a way:
- Test only the digits of 7-9 values;
- Test 5-7 values of Latin, Cyrillic, special symbols and digits;
- Test all printed symbols of 3-4 values.
Actually, such a practice takes 30 minutes for one PC and allows finding the most fragile accounts. Obviously, the duration of the tests can be very long if a tester has a task to test approximately hundred local PCs.
We can greatly speed up the process of checking the passwords using previously prepared rainbow tables. Creating such tables takes much time and has a big size but such efforts are worth it. A drawback of such a method is that the process of attacking can be performed only by LM hashes.
The results of PPA
Summing up the possibilities of Proactive Password Auditor, we can mention that it’s a good way to test the database or processes of recovering the lost passwords. A big variety of optimized parameters and product configuration allows considering it as an absolute leader on the market of password checking.
It’s necessary to check the passwords since such a form of sending the client’s personal information has numerous errors and bugs which will prevent a user from calm and comfortable usage of a web product.
If a user can’t be familiar with the website because of not testing the logic of password entry, you can say goodbye to a potential user of the service.
You should always remember that a user is the most important critic and his/her comfort is above all!