Suggest how you would go about validating a password protection system for an application that you have developed. Explain the function of any tools that you think may be useful.

What will be an ideal response?

Validating a password protection system involves:
1. Identifying possible threats. The principal threats are
a. Attacker gains access without a password
b. Attacker guesses a password of an authorised user
c. Attacker uses a password cracking tool to discover passwords of
authorised users
d. Users make passwords available to attackers
e. Attacker gains access to an unencrypted password file
2. Developing tests that cover each of these threats
a. Test system for all authorised used to check that they have set a
password.
b. Test system heuristically for commonly used passwords such as names of
users, festivals, other proper names, strings such as '12345' etc.
c. Check that all user passwords are not words that are in a dictionary. A
password cracking tool usually checks encrypted passwords against the
same encryptions of words in a dictionary.
d. This is very hard to check. To stop users writing down passwords you
need to allow words that are in the dictionary and are hence easy to
remember.
e. Check that access to the password file is very limited. Check that all copy
actions on the password file are logged.