Password protection always seems like an easy thing to do; but lets take a test driven approach to see how you do.
We see all over the news about passwords being leaked in the clear or leveraging only encoding or even weak hashing algorithms. Let’s take a simplified approach at looking at the logic associated with password storage and protections. I recently read a discussion() which challenged the “storage” of historical passwords. This foundation allows you to test and play with ideas to protect even these historical passwords while meeting the need to protect from re-used and drive regular rotation and changes.
- Clone https://github.com/cmeinco/appsecwtf-puzzles
- Install requirements
We start with a “working” version of the password management component. Review the code and feel free to adjust to your style, leverage the test cases to validate the functionality against positive and negative scenarios.
- Install and confirm 2 passed, 1 skipped, 3 xfailed.
- Protect the password while stored in the database. (Enable the skipped test case)
- Add a check for password complexity.
- Protect the logs, cleanup the logging messages to not output passwords in plain text.
- Dont let the password be changed immediately, add a timer which can be changed for different environments. Allowing a user to change their password immediately allows them to easily and quickly bypass the historical password requirement. Many environments enforce a 1 day wait time between password changes.
Feel free to push a PR with new ideas or test cases to help others!
More Thought Provoking Articles
Never stop learning.