Test Password Quality

• Review the password requirements
• Attempt to set various kinds of weak passwords, using any self-registration or password change functions to establish the rules actually enforced.
• Test for incomplete validation of credentials and set a strong and complex password. Attempt to log in using different variations on this password by removing the last character, changing a character’s case, and removing any special characters.
• Having established the minimum password quality rules and the extent of password validation, identify the range of values that a password-guessing attack would need to employ to have a good probability of success.

Test for Username Enumeration

• Identify every location within the various authentication functions where a username is submitted, including via an on-screen input field, a hidden form field, or a cookie. Common locations include the primary login, self-registration, password change, log out, and account recovery.
• For each location, submit two requests containing a valid and an invalid username. Review every detail of the server’s responses to each pair of requests, including the HTTP status code, any redirects, information displayed on-screen, any differences hidden in the HTML page source, and the time taken for the server to respond.
• If you observe any differences between the responses where a valid and invalid username is submitted, repeat the test with a different pair of values and confirm that a systematic difference exists that can provide a basis for automated username enumeration.
• Check for any other sources of information leakage within the application that may enable you to compile a list of valid usernames.
• Locate any subsidiary authentication that accepts a username and determine whether it can be used for username enumeration.

Test for Password Guessing

• Identify every location within the application where user credentials are submitted. The two main instances typically are the main login function and the password change function.
• At each location, using an account that you control manually sends several requests containing the valid username and other invalid credentials.
  • Monitor the application’s responses to identify any differences.
  • After about 10 failed logins, if the application has not returned a message about account lockout, submit a request containing valid credentials.
  • If this request succeeds, an account lockout policy probably is not in force.
• If you do not control any accounts, attempt to enumerate or guess a valid username and make several invalid requests using this guess, monitoring for any error messages about account lockout.