Software Testing Techniques to Detect Password Vulnerabilities in Software Applications
Wherever a user desires to deny or restrict the accessibility of a software application or a system from others, it is secured by means of a password. Users spend lot of time & energy in protecting their systems with so called difficult passwords, but at the same time smart password crackers reveal the mystery with little effort using different tools & techniques available these days.
As a matter of fact no one likes passwords, as they can be too many in number thereby making it difficult for the brain to remember. It is ideal to have very strong password & keep on changing them quite frequently. But remembering these strong passwords & so many of them is a tedious task. Thus password vulnerability is more of a human issue that majority of the people keep a short list of easy to remember passwords that remain handy for them. This happens despite the knowledge that these passwords may be the only defense against the loss of personal data that is of great value.
The password crackers understand such weakness & psychology of general users. That is why normal users become easy victims of the password crackers. Sometimes even the expert system administrators too
fall prey to such tactics of password crackers.
What are the objectives of Password Cracking?
1) Legitimate Password Cracking: This might be to help a user recover a forgotten password to gain an authorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords.2) Illegal password cracking: This is always with malafide intentions of breaking open someone else�s system & gain access to the personal information for drawing personal gains or to harm the other person.
Before going into the details of testing techniques, let us understand the different types of password vulnerabilities
Types of Password Vulnerabilities:
Type 1: Use of Default Passwords: Lot many software are installed with either blank or default passwords with the assumption that the users will change these passwords as soon as the software is installed. Except, even if the user’s guide, administrator’s guide, or online reminder tells the user to change the password for security, a surprising number of users never bother to do so.
This certainly leaves all the system’s security wide open, as has been shown many times on many products.
How this type of vulnerability is exploited: An attacker sends a packet to a target machine, which is directed to a port used by the software they are targeting, to see if their potential victim is running the target software. If they get the response they are expecting, they know they might be able to attack this victim.
Once the attacker knows the target software is installed, he attempts to connect to that software using the well-known default administrator password.
If the default password works, the attacker now has administrative rights to that software.
Type 2: Weak Passwords/Password Guessing: This is the most common password cracking techniques but it is one that requires some personal knowledge of the victim if it’s going to be more than moderately effective.
To start, the attacker takes some effort to discover various personal information about the victim. This can include items ranging from a girl-friend’s name, pet’s name, parents’ names, birth dates, etc.
After gathering the above information, the attacker simply tries to guess the victim’s password by trying various combinations of different names and numbers. People are relatively predictable, and there are some common password patterns like:
# Loved one’s name + birth date/phone number
# Victim’s name + birth date / phone number
How this type of vulnerability is exploited: An attacker is attempting to log in to the network of the company he was fired from with the username of his ex-boss. Because the attacker had worked with the victim for awhile, he begins trying to guess at possible passwords until he succeeds with the ex-boss’s wife’s name and the day of their anniversary.
The attacker is now logged onto the network with the credentials of his ex-boss.
Type 3: Insecure Password Storage: Another password vulnerability is centered around how passwords are stored. Unfortunately, despite the improvements in the encrypted and protected password storage by operating systems, a lot of systems are very trusting in how they store passwords.
One common mistake is to store passwords in plain text in any one of several places:
# Windows registry
# Configuration file
# Authentication file
# Custom file
Storing passwords in plain text is really the equivalent of writing them on the playground wall.
If passwords must be stored, at the very least they should be encrypted. A better option is to store a hash that is calculated from the user’s password instead of the password itself.
How this type of vulnerability is exploited: An attacker merely has to obtain access to the place the password is stored to change or steal the password.
Type 4: Insecure Password Transmission: Similar to the problems associated with plain text password storage, this vulnerability centers around transmitting passwords in plain text.
If passwords are transmitted in plain text, they are easily obtained by network sniffing, and reliance on a Secure Socket Layer (SSL) connection still leaves the vulnerability of a spoofed or man-in-the-middle attack.
All transmission of sensitive information should require that the data be encrypted.
How this type of vulnerability is exploited: Network sniffing of the various network traffic can expose plain text password transmission.
Type 5: Dictionary-Based Attacks: This is a version of a password attack that relies on an automated tool that simply starts trying every word in whatever dictionary it uses as a resource to find the victim’s password.
When it meets with success, the tool displays the password for the attacker.
This type of password attack is very slow and uses a lot of system resources to function. It’s also useless if the user’s password isn’t in the dictionary.
How this type of vulnerability is exploited: This is the simple use of a tool to keep submitting the username and dictionary password guess until success is reached or the dictionary is exhausted.
Type 6: Brute Force Attacks: The fall back password attack is a simple brute force attack. This type of attack uses a tool to try all the possible combinations of the available keys on the keyboard. This takes a long time as there are a huge number of combinations to be tried out, but it isn’t reliant on the user’s choice of password. Because of this, it has a good success rate if the attacker wants to invest that sort of effort.
How this type of vulnerability is exploited: This attack also uses a tool and keeps submitting the username and password guess until either success is reached or the tool exhausts its options
Software Testing Techniques to dig out the password vulnerabilities
Technique-1: For Insecure Password Storage:
The easiest way to detect plain text password storage is to exercise your system while you run monitoring software in the background to monitor what is being created and stored on the local system. It’s important to include install and uninstall on your system while running this same monitoring software.
It’s also important to see what storage is being done on the server, if applicable, to eliminate the possibility of insecure password storage on the server itself.
Technique-2: For Insecure Password Transmission
Setting up a network sniffer and then performing functions that would require the user to log onto the system will disclose plain text password transmission.
Remember that wireless networks can also have this vulnerability, so they should be verified as well.
Technique-3: For Password Cracking
Attempting to brute-force crack the password of a user account by simply entering a variety of different incorrect passwords will not test the security of the password itself, but it will demonstrate whether there are any mitigations in place like those that lockout the user after a certain number of incorrect password entries.
Password cracking and guessing can also be made more difficult by defining and enforcing password length and complexity rules.
An expert on R&D, Online Training and Publishing. He is M.Tech. (Honours) and is a part of the STG team since inception.