diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md similarity index 81% rename from document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md rename to document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md index 2df8511c18..0c900d5403 100644 --- a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md +++ b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md @@ -1,4 +1,4 @@ -# Testing for Weak Password Policy +# Testing for Weak Authentication Methods |ID | |------------| @@ -8,6 +8,8 @@ The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: `123456`, `password` and `qwerty`. +Additionally, applications may utilize alternative credentials that are treated the same as a password, but are considerably weaker, such as a birthdates, social security numbers, PINs, or security questions. In some scenarios, these more easily guessed credentials may act as the only user supplied value for authentication. + ## Test Objectives - Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords. @@ -23,6 +25,7 @@ The most prevalent and most easily administered authentication mechanism is a st 6. Is the user prevented from using his username or other account information (such as first or last name) in the password? 7. What are the minimum and maximum password lengths that can be set, and are they appropriate for the sensitivity of the account and application? 8. Is it possible to set common passwords such as `Password1` or `123456`? +9. Is the credential chosen for the user by the application, such as a social security number or a birthdate? Is the credential that's utilized in lieu of a standard password easily obtainable, predictable, or susceptible to brute-force attacks? ## Remediation diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md index 882b799c0e..c8b54a63f2 100644 --- a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md +++ b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md @@ -181,7 +181,7 @@ Once the user has proved their identity (either through a password reset link, a - Is a strong and effective password policy applied? - The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) guide for further information. + The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) guide for further information. ## References diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md index aa9b8251bd..4c5024a7fb 100644 --- a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md +++ b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md @@ -12,7 +12,7 @@ 4.4.6 [Testing for Browser Cache Weaknesses](06-Testing_for_Browser_Cache_Weaknesses.md) -4.4.7 [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) +4.4.7 [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) 4.4.8 [Testing for Weak Security Question Answer](08-Testing_for_Weak_Security_Question_Answer.md) diff --git a/document/README.md b/document/README.md index 74d7ebbfa6..186614065b 100644 --- a/document/README.md +++ b/document/README.md @@ -126,7 +126,7 @@ #### 4.4.6 [Testing for Browser Cache Weaknesses](4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md) -#### 4.4.7 [Testing for Weak Password Policy](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md) +#### 4.4.7 [Testing for Weak Authentication Methods](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md) #### 4.4.8 [Testing for Weak Security Question Answer](4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.md)