温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.a1qa.com/blog/protecting-user-passwords-security-techniques-and-penetration-testing
点击访问原文链接

Protecting user passwords: security techniques and penetration testing

进入原网站 导航首页
Protecting user passwords: security techniques and penetration testing Services Back Full-cycle testing services QA consulting Software lifecycle QA Ad-hoc testing Test automation Pre-certification testing User acceptance testing Crowdsourced testing Documentation services QA for digital transformation Engagement models Team augmentation Dedicated QA teams Managed testing services Fixed-price QA projects Quality engineering Shift-left testing Continuous testing Testing in Agile Multi-vendor environment Complete test coverage Functional testing Performance testing Cybersecurity testing Accessibility testing Compatibility testing Embedded testing Integration testing Localization testing Microservices testing Migration testing Regression testing Usability testing Systems & platforms Web apps Mobile apps Blockchain CRM ERP AR/VR Cloud Internet of things Medical devices Desktop Big data Salesforce SaaS AWS Azure Industries Back Software development Banking and financial services Telecommunications Media and entertainment Travel and hospitality eCommerce Insurance Healthcare Gaming Education Blog 25 April 2025 Building a safety net for banks: the role of testing in the ISO 20022 shift Approach Back How we work Testing environment Industry expertise Process maturity QA outsourcing ...With fast response to our requirements and professional approach, I can definitely recommend the cooperation with a1qa. Rainar Ütt, Head of Quality, InnoGames Portfolio Blog Company Back About us Clients QA Academy Awards News Values Events Contact us Case study a1qa helps roll out multi-regional mobile solutions for a leader in financial technology Contact us Blog Protecting user passwords: security techniques and penetration testing If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. 24 May 2018 Cybersecurity testing Home Blog Protecting user passwords: security techniques and penetration testing 3 ways attackers steal passwords Password protection techniques What happens if there are no security techniques implemented: a real-world example Penetration testing is a vital part of any effective security strategy When to perform pen testing? Article by a1qa a1qa High-profile data breaches continue to hit the headlines. However, you may be surprised to know that most of the attacks do not take a lot of time or efforts. Weak passwords provide abusers with a lot of opportunities.

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. It is prepared by the a1qa Security Testing Center of Excellence engineers. After you finish reading it, you’ll learn:

Strong passwords – what are they?What techniques can be implemented to increase the security of user accounts?Can software testers detect security flaws before the real attackers do and eliminate them? 3 ways attackers steal passwords Before talking about securing passwords, let’s list the ways the attacker may take to steal them. Generally, the password can be stolen directly from a user, from the service, or on its way from the client to the service.

Today, we’ll focus on the first option only as it is related to the password security, while two others deal with the web app vulnerabilities and the likelihood of the password being stolen has nothing to do with the password complexity.

So how can attackers break in? Performing brute force attacks. Surprisingly, but most of the passwords can be guessed within a specific number of tries. By resorting to this method, hackers will use special tools to enter the password over and over again until it’s cracked. This hacking method is the easiest and least sophisticated.Another option is to employ social engineering techniques to learn the user’s credentials, as the human weakness is much easier to penetrate than the network vulnerabilities. This method is more sophisticated and requires psychological skills from the hacker to sound trustworthy and make the victim reveal the data.Also the attacker can peep the password at the victim’s working station, install the keylogger to monitor and register all keystrokes typed or simply find a sticker with the password. You see it’s not that difficult to learn the password if you want to.

Password protection techniques If the hacker prefers one of the two latter options, the dev team won’t be able to do anything to stop them. However, the first method can be prevented by implementing certain techniques at the software development stage.

Let’s name a few: Implement CAPTCHA to prevent bots from automating logging and prove there is a human performing an action.Require two-factor authentication with the help of other devices. For example, a user may be asked to enter the code received in an SMS. Another option is to generate a one-time password that will be valid for only one session or transaction.You can also restrict a user after several unsuccessful login attempts. However, make sure you won’t block the user forever, just for some period of time.Add controls to password minimum length and complexity.Ideal password length is 8-12 symbols.Make sure your users know that the password may incorporate numbers, Latin characters and special symbols ($, ?, !, The combination of number and letters (upper- and lower-case) is reasonable and reliable. It’s NOT recommended to use: Words that can be found in the dictionary as password-cracking toolsAdjacent keyboard combinations like qwerty, 123456789, qazxsw are also trivial to crack.Personal data (first or last name, birth date, passport number, etc.) and also passwords from other services. Inform your users that it’s also important to make a password that will be not difficult to remember. Most people tend to write long passwords down and stick it to the monitor, which increases the risk of the password being stolen.

You can also develop built-in notifications to remember your users to change the password once in every 90 days, for example.

Also, think about the actions that a user should take if his/her password has been stolen or he/she believes it has been.

What happens if there are no security techniques implemented: a real-world example If there are any vulnerabilities in the security mechanisms, the abuser who has enough time and desire to get the password will make use of this vulnerability and sooner or later succeed. Getting access to the web site admin panel will enable the abuser to change the web site content.

In one of the projects our engineers were testing the mobile app. The app had a two-factor authentication and the user had to enter his phone number, get a code in an SMS and enter the 4-digit code to log in.

The first things the a1qa engineers paid attention to was that the code was made up of 4 digits, which gave them (and abusers) only 10000 of possible combinations to crack the password.

To make things worse, there was an error in the authentication process: the server didn’t block users after any number of unsuccessful login attempts.

Cracking the password with the specially developed script took our engineers only 15 minutes!

Here is Top Security Threats for Web Apps detected by the a1qa engineers: Part 1 and Part 2.

Penetration testing is a vital part of any effective security strategy Pen testing allows to assess the security level of the system by running simulated attacks to detect possible entries for the abusers.

Professional pen testing process involves several stages.

At the very beginning, security testing engineers collect all information they can about the victim/client: names, emails, children names, nicknames in social media accounts, etc. Based on this information, dictionaries for password cracking are generated and used to crack passwords.

Social engineering emails, calls, face-to-face contact and other tests on people can be performed to ascertain if they are susceptible to an attack.

When to perform pen testing? Penetration testing should start only after the application is ready and a full functionality test is completed.

Pen testing results: Independent assessment of the system security levelDetection of all security weaknessesList of recommendations to improve with the estimation of time and costs they will take to enable. Is your users’ data secured? If you have any doubts, set up an obligation-free consultation with the a1qa security testing specialists.

Share this: More Posts 24 February 2026, by a1qa 5 min read QA for cybersecurity resilience Discover how embedding QA into your CI/CD pipeline reduces risk, ensures compliance, and strengthens resilience by turning security requirements into repeatable tests and release gates in the AI era. Cybersecurity testing Test automation 30 January 2026, by a1qa 5 min read Strategic QA: The foundation of digital transformation Digital transformation moves fast. Discover how modern QA helps you deliver change at speed by identifying high-stakes risks before they impact your reputation or your bottom line. Cybersecurity testing Functional testing Performance testing Quality assurance Usability testing 31 December 2025, by a1qa 5 min read OWASP Top 10:2025: what changed and how QA helps reduce risk As AI speeds up development and attackers exploit business logic, the latest OWASP Top 10 exposes why traditional security checks fall short and how QA must evolve to protect modern web applications. Cybersecurity testing 25 June 2025, by a1qa 5 min read Microservices testing: strategies for resilience, speed, and precision Learn how a thoughtful QA strategy can keep distributed systems running like clockwork. Cybersecurity testing Performance testing Test automation 14 April 2025, by a1qa 5 min read Cybersecurity: Top 5 questions to ask a QA vendor What information to request from QA providers to get confident in the complete security of your software and protect end-user sensitive data? Read about that in the article. Cybersecurity testing 2 December 2024, by a1qa 6 min read Addressing 4 security issues for digital transformation programs Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity. Cybersecurity testing Migration testing QA in Fintech 5 November 2024, by a1qa 4 min read Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article. Cybersecurity testing Functional testing Localization testing Performance testing Usability testing 29 August 2024, by a1qa 4 min read QA to address key pain points in retail  Explore how QA helps address the main challenges that retailers face when developing software. Cybersecurity testing Functional testing Performance testing Usability testing 15 August 2024, by a1qa 3 min read QA to ensure smooth migration to the cloud Learn how effectively migrate to the cloud by implementing QA activities. Cloud-based testing Cybersecurity testing Functional testing Migration testing Performance testing Quality assurance Test automation Related posts Get in touch Name Please fill in the required field. Email Email address seems invalid. Company Phone Project description Please fill in the required field. I hereby give my consent for a1qa and its affiliates to process my personal data in accordance with Privacy Notice for the purpose of handling my request and responding to it. I am aware of the fact that I have the right to withdraw my consent at any time. Please accept the terms to proceed. Add an attachment This file is too large Up to 5 attachments. File must be less than 5 MB.
Allowed types: jpg, jpeg, png, svg, pptx, pdf, doc, docx, ppt, odt File input 1 File input 2 File input 3 File input 4 File input 5 Send a message Thank you! Thank you for reaching out! We’ll get back to you shortly. Close We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy. Accept United States
160 Clairemont Ave, Suite 200, Decatur, GA 30030
+1 720 207 5122

United Kingdom
3rd Floor, 5-8 Dysart Street, Moorgate House, London, EC2A 2BX
+44 204 525 7620

Subscribe to news Subscribe to news Full name Please fill in the required field. Company Please fill in the required field. Email Email address seems invalid. I would like to subscribe to a1qa’s newsletter and other marketing communication. By clicking this checkbox, I give my consent for a1qa and its affiliates to process my personal data in accordance with the Privacy Notice.

You can unsubscribe at any time by clicking the button "Unsubscribe" at the bottom of every email. Please accept the terms to proceed. Subscribe Thank you! Thank you for reaching out! We’ll get back to you shortly. Close Follow us © a1qa software testing company, 2026. All rights reserved. Privacy Policy Quality

智能索引记录