Passwords

Who guards the guardian? Better be safe than sorry ;)

Forgot Password

 Password recovery tools and techniques Check the ease of use, user friendliness Are the security questions really secure enough? Does the tool display example answers for the security questions? Can the security answers be easily decrypted / decoded?

Encryption

 md5 hashing Hashing v/s Encrypted Password is not stored in plain text Password stored in Vault (Windows Vault) and database is encrypted and cannot be cracked easily with the available password cracking tools

Guidelines

 Password strength indicator Password length Characters allowed, disallowed Password fields - Asterisked / starred Caps lock on / off indicator Guidelines available for forgot password and reset password link

Password cracking Tools and Techniques

 Test the password cracking tools. Be aware of social engineering attacks -- Dumpster diving -- Shoulder surfing Personal identification theft How secure are the password cracking tools?

Reset Password

 Guidelines to reset password

 URL expiries after one use

 Test the password generator for: Redundant passwords generated Pattern of the passwords generated

Messages

 Entered an old / previous password Login / password is incorrect Check if the error messages are a give away

Login / password incorrect message to be displayed at all places applicable.

Multiple step Verification

 Enable only wherever required Learn the ease of access of the multi step verification Check how each password is stored - password, image files, biometric id's Check the location of the encrypted files Use the password cracking tools available to crack the encrypted password - note the ease / difficulty with which these passwords can be cracked. Note what information you are sharing over the wire with the password cracking tools Learn about the password cracking tools and if it's genuine

Password Manager

 Learn the ease with which the passwords can be managed Learn the complexity levels of the password manager

Context Based

 Based on different contexts: Enable / disable automatic logon Enable / disable guest user logon Allow / deny group / synchronous logon policy on a slow internet connection