Weak password policies – Security Testing Handbook for Banking Applications

2: Basic Tests and Techniques
41
Ensure a three-tier architecture of a web server –
application server – database server for every
application.
Make sure that all key traffic directed at the database is
encrypted.
Use a low-privileged database user ID with restrictive
access to map to the application users.
Enforce IP-based restrictions thus restricting direct
connectivity to the database.
Weak password policies
Every application has an authentication screen where users
can log in by entering their credentials. Often users use
weak passwords or the application itself has a weak
password policy. This can result in an attacker being able to
crack the user’s password and gain access to the user’s
profile and data. We try a series of tests to check various
password-related parameters. Some of the most important
tests that we carry out are as follows:
Check if an account gets locked after around 10 wrong
attempts.
Check if a user can immediately change their password
to a previous password.
Check if the password is complex enough.
Solution
Set a minimum password length of 8. The password must
be complex enough and must include upper- and lower-case
letters, numbers and special characters. The user must be
forced to change their password every 30 days at most. If