Monday, February 25, 2013

How to keep your passwords secure?

Password security is an important part of security of computer systems against unauthorized internal or external access. Therefore, let us consider this topic. Now, what is a password? A password is a string of characters that you give to verify that you are you when you log on to a computer system. In other words, a password is used to authenticate you to a computer system. We will see tips to create a secure password. Next, we will see guidelines for application developers to implement good password security. But first, let us see the different types of passwords.
There are several types of passwords:
1. BIOS (Basic Input/ Output System) password:  A BIOS password is authentication information that is required to log into a computer’s basic input/ output system before the machine boots up. Your computer BIOS is the first program that is run when your computer starts. You can tell the BIOS to ask for a password when it starts, thus restricting access to your computer.
2. Windows password: You use this to log on to the operating system. It is like the key to the kingdom. If the user account associated with this password has administrative access to the computer, the user may perform any possible task on the computer once logged in.
3. Email password: You use this password to log on to your email server. The email password is used in a Windows application such as Outlook and in web clients like Gmail and Yahoo.
4. Application password: You use this to login to a specific application on your computer (e.g. remote desktop, mobile application) or a website (e.g. LinkedIn, Facebook or Twitter).
5. SSO (Single Sign On) password:  Single sign-On simplifies logging in and logging out of systems by automating username and password entry for authenticated users. Conversely, single sign-off means that a single action of signing out terminates access to multiple software systems. SSO enables you to log in once and gain access to all participating systems without being prompted to log in again.

Now, lets us see tips on how to create a secure/ strong password that is safe from unauthorized strangers.
1. Your password should have a good length i.e. it should be eight or more characters long.
2. Include letters, punctuation, symbols and numbers while creating your password. Make combination of letters (upper case and lower case), numbers and special characters.
3. Don't use personal information (like birth date, social security number or nickname) that other people know.
4. Always choose a password that is different from each of your previous passwords.
5. Create a password that you can remember easily (meaning that you do not have to write it down).
6. Don't re-use a same password across multiple systems.
7. Avoid sequences of numbers in order like 1234 or qwerty and repeating characters like vvvv or 666.
8. You may want to use a pass phrase for remembering the password and use the first letter of each word of the phrase in your password.
9. Don’t use dictionary words. Instead, use proper nouns and words memorable to you.
10. Change your password regularly. For this, you can set automatic reminders that you need to change your password (email, banking etc.) say every quarter.

Finally, let us see tips on how a software application can implement good password security for its users.
1. The application should transmit and store the password in an encrypted format.
2. Once a user's password is changed successfully, the application should not allow the user to log in with the old password.
3. The application should allow a limited number of password attempts (within a given duration). After a certain number of failed log in attempts, either the application may lock the account or allow further login attempts only after a certain period.
4. The application should not store sensitive user data such as a password in cookies.
5. The application should store password security questions' answers in the database in hash format and not in plain text.
6. The password should not be displayed on the display screen as it is entered. Asterisks (*) or bullets (•) should be displayed instead of password characters.
7. The application may employ other/ additional authentication like two-stage authentication, cognitive passwords or biometric (voice pattern, iris or fingerprint) authentication.
8. A web application should open secure pages using HTTPS only.
9. Instead of regular passwords, the application may implement non-text based passwords such as graphical passwords (images, graphics and colors) or mouse movement passwords.
10. The application should not inconvenience the users with an overly strict security policy (e.g. requiring a user to generate a new password every week or enter the password every 30 minutes to stay logged into the system).

This is a guest article by Varsha Tomar. Varsha has 9 years experience in both manual and automated software testing. Currently, she works with Vinculum Solutions as Senior Test Lead. Her interests include software testing, test automation, training, testing methodologies and exploring testing tools.