OWASP · kingthorin · Dec 20, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 18, 2024
diff --git a/checklists/checklist.json b/checklists/checklist.json
@@ -309,9 +309,9 @@
                   ]
                 }
                 ,{
-                "name":"Testing for Weak Password Policy",
+                "name":"Testing for Weak Authentication Methods",
                 "id":"WSTG-ATHN-07",
-                "reference":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy",
+                "reference":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods",
                 "objectives":[
                     "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords."
                   ]

diff --git a/...ng/07-Testing_for_Weak_Password_Policy.md → ...esting_for_Weak_Authentication_Methods.md b/...ng/07-Testing_for_Weak_Password_Policy.md → ...esting_for_Weak_Authentication_Methods.md
@@ -1,4 +1,4 @@
-# Testing for Weak Password Policy
+# Testing for Weak Authentication Methods
 
 |ID          |
 |------------|
@@ -8,6 +8,8 @@
 
 The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: `123456`, `password` and `qwerty`.
 
+Additionally, applications may utilize alternative credentials that are treated the same as a password, but are considerably weaker, such as a birthdate or a social security number. In some scenarios, these more easily guessed credentials may act as the only user supplied value for authentication.
+
 ## Test Objectives
 
 - Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords.
@@ -23,6 +25,7 @@ The most prevalent and most easily administered authentication mechanism is a st
 6. Is the user prevented from using his username or other account information (such as first or last name) in the password?
 7. What are the minimum and maximum password lengths that can be set, and are they appropriate for the sensitivity of the account and application?
 8. Is it possible to set common passwords such as `Password1` or `123456`?
+9. Is the credential chosen for the user by the application, such as a social security number or a birthdate? Is the credential that's utilized in lieu of a standard password easily obtainable, predictable, or able to be brute forced?
 
 ## Remediation
 

diff --git a/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md b/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
@@ -181,7 +181,7 @@ Once the user has proved their identity (either through a password reset link, a
 
 - Is a strong and effective password policy applied?
 
-  The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) guide for further information.
+  The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) guide for further information.
 
 ## References
 

diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md
@@ -12,7 +12,7 @@
 
 4.4.6 [Testing for Browser Cache Weaknesses](06-Testing_for_Browser_Cache_Weaknesses.md)
 
-4.4.7 [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md)
+4.4.7 [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md)
 
 4.4.8 [Testing for Weak Security Question Answer](08-Testing_for_Weak_Security_Question_Answer.md)
 

diff --git a/document/README.md b/document/README.md
@@ -126,7 +126,7 @@
 
 #### 4.4.6 [Testing for Browser Cache Weaknesses](4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md)
 
-#### 4.4.7 [Testing for Weak Password Policy](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md)
+#### 4.4.7 [Testing for Weak Authentication Methods](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md)
 
 #### 4.4.8 [Testing for Weak Security Question Answer](4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.md)