This is Part II of my response to Santhosh Challenge. Part I is HERE
8. If you are the solution architect for a retail website which has to be developed; what kind of questions would you ask with respect to “Scalability” purpose with respect to “Technology” being used for the website?
Here are a few questions on Scalability w.r.t Technology:
1. Can Technology take the current load of customers visiting the website?
2. Can technology handle an increasing load of customers per unit of time?
3. What is the maximum threshold load the technology can handle?
4. What is the maximum load under which the technology performs or renders itself optimally without affecting any degradation in website usage?
5. Is the technology easily customizable with additional infrastructure?
6. Does technology have any scalability limitations per se?
7. Does technology blend itself with the programming languages used for coding the website?
8. Does technology blend well with the hardware, software and middleware used?
9. Is technology portable if there is a need to build the website on multiple platforms over a period of time?
Any system is meant to be scalable if it continues to accept large amount of load and operate normally without adding additional configuration costs.
Let me assume to work for one of the biggest retail giants in the world with retail business spread across multiple continents. Let’s understand what they need as part of basic infrastructure:
Hardware
Data Warehouses
Content Management Systems
Mainframe and Unix Servers for running batch jobs at regular intervals
Middle ware for data transfer between multiple components
Marketing management tools
Email management tools
Data storage devices
Multi-processor distributed systems
Software
Server operating systems
Databases
Customer facing applications
Marketing applications
Marketing management tools
Email management tools
In a typical scenario, if a performance problem surfaces, what does the development team do? They increase the infrastructure to mitigate the problem. This is an easy way to temporarily shoo away the performance problem. Over a period of time, if the management decides to keep contribution margin of the product intact, adding additional infrastructure will become a problem.
What has scalability to do with Infrastructure when the question explicitly asks about technology scalability?
I strongly believe that technology and infrastructure must go hand in hand to be able to make any software solution scalable. If technology is scalable, but the infrastructure setup is pretty bad, there is a problem. If infrastructure is on par as expected, but technology isn’t scalable, that is a problem too.
Let’s consider scalability in a web service scenario. If we had to scale the webservice usage to a large set of customers over a period of time, the technology must suitably allow it. If I said, I’ll write a simple batch script for resource allocation in above scenario, it may or may not be scalable. if same solution had to be written using a framework belonging to solid programming language, may be there is more hope.
In short, scalability is good only when there is a right mix of technology and infrastructure. Both cannot be mutually exclusive to make any system scalable.
NOTE: I am not happy with my answer on this one. I liked the one written by Markus Gartner.
9. How do you think “Deactivate Account” should work functionally keeping in mind about “Usability” & “Security” quality criteria?
I have been unable to close one of my bank accounts as they have a lengthy de-activation process - an application form, returning the security device and remaining check leaves if any. Initially, I was annoyed as I didn’t want to spend time going to the bank and they were not taking my verbal confirmation on phone seriously. After a while, I realised that if de-activation was so simple, I could de-activate anyone’s account if I knew their customer number. It’s important to keep de-activation process as secure and fool-proof as possible.
If a user decides to de-activate his account on the website, it can be done using following steps:
Step 1: Identify the user
Identify if the user has a valid account by asking for username/email address and validating accordingly
Step 2: Authenticate the user
Authenticate the user by asking the user to reveal some information that is unique to that user. This way, we hope that one could be doubly sure that the right account is de-activated. Having a captcha in this step prevents bots from miss-using this feature.
Step 3: De-activation process
Initiate de-activation if user provides valid information by sending an email with a de-activation link. Note that this hyperlink must be limited to one time use.
Step 4: Confirmation of de-activation process
User needs to click on deactivation link in the email to de-activate the account
The above steps are reasonably secure from security point of view as well as usability point of view as the steps are simple and easy to follow.
10. For every registration, there is an e-mail sent with activation link. Once this activation link is used account is activated and a “Welcome E-mail” is sent to the end-users e-mail inbox. Now, list down the test ideas which could result in spamming if specific tests are not done.
1. Click on the activation hyperlink received in email inbox multiple times. If this action was tied to another action where an email is sent to the user ‘Welcoming the user’, then each time user clicked on this hyperlink, an email would be sent to the user
2. Once the activation hyperlink opens and confirms that activation has succeeded, refresh this page using “Refresh/Reload” option. If the refresh of this page was tied to an action where an email is sent to the user ‘Welcoming the user’, then user could get spammed
3. Once the activation hyperlink opens and confirms that activation has succeeded, refresh this page using ‘Reload Every’ add-on to spam the user. This is a variation of Step 2 above.
4. If the registration page does not check for already registered email addresses, registration can be done multiple times using same email address, hence spamming the user using this option. This step when combined with 1, 2 and 3 above can be used to spam the user to a large extent
5. In the registration page, enter same email address multiple times separated by commas. Any loophole in the application could consider these email addresses and send same activation hyperlink to same email address multiple times. Note that this scenario is not directly linked to the above question.
11. In what different ways can you use “Tamper Data” add-on from “Mozilla Firefox” web browser? If you have not used it till date then how about exploring it and using it; then you can share your experience here.
1. Viewing client requests - Tamper data can be used to view all requests sent from client to server
2. Parameter tampering - Can be used to tamper with input parameters before submitting them to server
3. Security Testing - Can be used to tamper http methods (headers and parameters) and used to security test client requests to servers
4. Cookies/Session ids - Can be used to view and tamper with cookies / session ids and hijack other user sessions
Pros
1. Tamper Data is an add-on that is accessible wherever browsers are installed
2. It’s easy to setup and use if Firefox browser is installed
Cons
1. Tamper Data is not as powerful as Burp Suite :-)
12. Application is being launched in a month from now and management has decided not to test for “Usability” or there are no testers in the team who can perform it and it is a web application. What is your take on this?
Usability testing is treated like a step child in most organizations. Usability testing often becomes a last minute dump task which could be done if and only if so called "functional testing" is complete. We all know that complete testing is exhaustive and impossible. As a result, there may be little or no time for usability testing.
If I am part of this project, I would identify a tester or a group of testers who I think have a decent knowledge of usability. I would help them learn about usability heuristics and become well-versed in these areas. Another good learning method would be to provide sample websites to test for usability, evaluate their reports and provide feedback. Based on this, I would hope they'll do a good job testing the web application above.
As I write this, I am aware that some people reading this will think, "Where is the time to do all of the above when there is hardly any time left to test for usability?” I completely empathize with such people. I have been there and done that. In such projects, it makes sense to provide "On the Job" training. It's important to identify at least one person who has good understanding of usability in general and usability testing in particular. **This person must set up a usability testing team and do one or more of the following:
Hallway Testing
Employ a few people walking down the hallway to test websites. Hand pick users from different walks of life and find out what irritates them as they use the websites.
Recorded Surveys
Record the proceedings as user uses the website and talks about pain points. Show the findings to web designers and work on how websites can be designed differently to ease those pain points.
Emphasis on Feelings
Magnifying user’s feelings (good and bad) as they use the websites helps gauge what makes good websites good and bad websites bad. Users’ feelings are fragile and it’s important for websites to handle these feelings with care.
**Adapted from my article "My Story of Website Usability" published in January 2012 edition of Testing Circus magazine.
13. Share your experience wherein; the developer did not accept security vulnerability and you did great bug advocacy to prove that it is a bug and finally it was fixed. Even if it was not fixed then please let me know about what was the bug and how did you do bug advocacy without revealing the application / company details.
Security Vulnerability
I worked on a multi-component project where each component was owned by different teams. Our team owned component A and another team owned component B. Component A was responsible for storing confidential information at a single location. This data would be requested by multiple consumers and processed accordingly. Since this was a closely watched system with restricted privileges to users, no security measures were taken on this component. The problem arrived when different components had to request for data from component A. Component B, being the first in line requested for data. Component A gave away the data as the requestor on component B was a trusted guy. However this data request and response wasn’t secured:
1. Data received at component B had a local copy of confidential data even though it was not supposed to store any of this data.
Team Ownership
The security vulnerability mentioned above was a bigger challenge given the fact that multiplicity of teams were involved with tons of ego floating around, “This is not my component’s problem, it’s yours” to “Your implementation sucks”. People involved hardly got into the details of the problem and the impact it could have if these components were shipped as is.
Bug Advocacy
As a tester, it was important for me to understand the impact of above problem even before I could advocate fixing of these problems. I got in touch with a couple subject matter experts who have worked on similar projects and asked for inputs. I initiated a dialog with a couple security architecture teams to understand the implications. Around the same time, I gathered feedback about why Team A and Team B have to work together to fix this problem and avoid working in silos. Based on all the information I had, I convened a meeting and discussed these problems with all team owners. Eventually, the bug was accepted as a problem and fixed accordingly.
14. What do you have in your tester’s toolkit? Name at least 10 such tools or utilities. Please do not list like QTP, Load Runner, Silk Test and such things. Something which you have discovered (Example: Process Explorer from SysInternals) on your own or from your colleague. If you can also share how you use it then it would be fantastic.
1. Notepad ++ - for taking notes
2. Burp suite - for tracking http request
3. Beyond Compare - comparing files/folders for Build Verification testing
4. XMind - mind mapping tool for project planning, infrastructure planning, test planning, test status reporting and test release documentation
5. Process Explorer - for tracking processes
6. Task Manager - for tracking processes and tasks
7. Batch scripts to execute mundane testing tasks
8. Windows Scheduled tasks to automate windows based tasks. Eg. running a server installation batch script daily at a specified time :-)
9. Microsoft Excel - reporting
10. Browser Add-ons
a. Firebug
b. Web Developer
c. Tamper Data
d. iMacros
e. Resolution Test
f. And others at http://moolya.com/blog/2011/03/04/addon-mindmap-for-testers-from-moolya/
15. Let us say there is a commenting feature for the blog post; there are 100 comments currently. How would you load / render every comment. Is it one by one or all 100 at once? Justify.
Option 1 - Loading comments one after another
Given the attention span of a human being and his thirst for the very next comment, loading one message at a time is a bad idea. It’s bad user experience because the application has to assume a set number of seconds for reading one comment to be able to load the next comment after ‘x’ seconds. This is a delay that might be acceptable for few and not acceptable for others. Many of us are curious enough to read the next comment even before the previous one completes. Given this user behaviour, loading one comment at a time is a bad idea.
Option 2 - Loading all 100 comments at one shot
Loading all 100 comments at one shot means there could be a performance overhead. Assume that each comment contains close to 30 words. Suppose, it takes about 6 seconds to load on a machine with 512 MB ram (Well, I have one at home ;-)). Loading 100 comments on the page means 100X6=600 which is 10 minutes. 10 minutes is HUGE time for a comments page to load. User would run away from this page. Loading all comments simultaneously is a poor idea. Moreover, this solution is not scalable as the number of comments increase over a period of time.
Option 3 - Gradual loading of a designated number of comments
Loading fewer comments while the user reads the previous ones is good design. Suppose 10 messages load at a time. By the time user starts going to the bottom of the page to read 8th message, the next set of 10 messages must get loaded slowly. This way, loading the comments is phased out and user’s attention is not lost too. I believe performance overhead is minimized as there is no stress on the system to load all messages at one shot. This is a scalable solution. Eg. “More” option on Twitter web interface
I would go for Option 3 above. Again this suits me as a user. If the context demands that comments have to load to satisfy specific user requirements, designers could still go for Option 1 or 2 above. Context rules!
16. Have you ever done check automation using open-source tools? How did you identify the checks and what value did you add by automating them? Explain.
I have used Microsoft ACT, Autoit and iMacros add-on for check automation.
How did you identify the checks?
Checks are tests that don’t need human thinking to decide the next course of action. A few lines of code can accomplish the same if coded well and remove human intervention.
To quote Ben Simo, “Automated checking can only process whatever decision rules someone thought to program when the checks were created. … Rather than look at testing as something to be either manual or automated, I encourage people to look at individual tasks that are part of testing and try to identify ways that automation can help testers evaluate software.”
What value was added?
Suppose, you need to create about 30 test email accounts. You could use iMacros tool and record the registration process. If a captcha is present, the program can be automated until captcha is encountered and then processed after captcha value is entered by any human.
I have been part of a team that used Microsoft ACT to write basic performance scripts to test performance tuning products. I wasn’t involved directly with coding, but using these scripts helped identify performance problems in the product we were testing. And of course, it saved a lot of time doing the same set of tests manually.
I have used Auto IT to execute Server Installation and Configuration for one of my projects. Auto IT script along with Batch scripting was used to automate server installation process which manually took 1 full day. With this script, the installation was run overnight and the server used to be ready the next day morning.
In general, check automation helps automate mundane and routine tasks and use the saved time to test features that need humans to think and decide the next source of action.
17. What kind of information do you gather before starting to test software? (Example: Purpose of this application)
Software information
1. What is the problem that this application is expected to solve. i.e., purpose of the software :-)
2. What is the history of this application?
3. Is there an existing application that was built for the same purpose, but failed to solve the problem. If yes, what were the limitations in that application?
4. What is the technology this application is built using?
5. Is there a competitor application already? If yes, what are they good at and what are they bad at.
6. What are the business objectives set for this application
7. What are the constraints in building this application
8. What are the features that are agreed upon to be built
9. Which features are prioritized over others
User information
1. Who are the users of this application?
2. Are the developers (testers, programmers and concerned support teams) of the application aware of how this application will be used?
3. What is the single most burning problem that they are facing - for which this application is built
4. What are the constraints (permissions and privileges) under which users have to use the application
Documentation
1. Existing documents about the application
2. New requirements documents
3. Online help (if any)
4. Documents relating competitor products
5. Researching on similar applications
People Knowledge
1. Talking to following folks can fetch more information about application
2. Actual stakeholders of the product (Business teams)
3. Sales professionals
4. Marketing professionals
5. Business/Functional analysts
6. Solution architects
7. Programmers (Give them a warm hug everyday, LOL!)
8. Experts who are experts on respective technology and applications
9. Domain experts
10. Support teams
11. Infrastructure teams
12. Senior management
13. Fellow testers
And of course, tons of meetings :-).
18. How do you achieve data coverage (Inputs coverage) for a specific form with text fields like mobile number, date of birth etc? There are so many character sets and how do you achieve the coverage? You could share your past experience. If not any then you can talk about how it could be done.
Data coverage is in exhaustive as its impossible to cover for all inputs as the number of variables increases in the system. For eg, if we have to test with different types of mobile numbers across the world, imagine the number of tests that need to be executed.
What needs to be done in such situations is to identify a sample of the data set that can be used as test data. This sample must be an optimal subset that'll cover most of the heavily used test data formats. There are several tools that can be used to generate test data. These tools not only generate a decent sample of test data, but also support multiple character sets, languages, special characters and many other features. Following is a summary of a few of those.
GenerateData.com
Test Data generation
1. Names
2. Phone numbers
3. Email addresses
4. Cities
5. States
6. Provinces
7. Countries
8. Dates
9. Street addresses
10. Postal zip code
11. Number ranges
12. Alphanumeric strings
13. Country specific data (state / province / county) for US, Canada, UK etc
14. Auto-increment
15. Fixed number of words
16. Random number of words
Test File generation
1. XML
2. Excel
3. HTML
4. CSV
5. SQL
Hexawise
1. Pair wise testing using multiple variables
2. Valid pairs
3. Invalid pairs
And a lot more at http://hexawise.com/.
Allpairs
AllPairs helps with Pair wise testing. For eg, if your product needs to be tested on 3 different browsers of 2 version each, your “All Pairs” data is a tool that can be used. More at http://satisfice.com/tools.shtml.
Testomate
To be released. I have been a beta tester on this and it’s pretty impressive :-)
Feedback welcome, as always,
Regards,
Pari
16 April, 2012
13 April, 2012
18 Testing Challenges from Santhosh Tuppad - Part I
My friend cum colleague Santhosh Tuppad posted 18 testing challenges to the testing community on his blog a month ago. I have had lengthy conversations on security testing with Santhosh for a while now. The work that follows in this blog post is dedicated to him as I learned a lot about security and usability from him. I wasn't too happy when I asked him a lot of questions on his test challenges where the context was not clear. He clearly mentioned that he wants me to let my imagination free and work on the challenge. There you go.
1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?
Why take the user to Sign In page?
I always face this problem on FashionandYou :-). If I had to click on a hyperlink which required me to Sign in, I expect to be taken to the Sign In page where a message “This requires you to be logged in” is displayed to me. This solution offers 2 benefits - one, it tells me why I am taken to Sign In page. Two, it takes me to the correct page.
Why not take the user to Sign Up page?
It’s incorrect to assume that all users who are not logged in are new users. There could be few existing users who are interested to browse without logging in. Taking existing users to the Sign Up page might offend the users.
Why display a message while taking the user to Sign In Page?
Some users won’t understand why clicking on a hyperlink is taking them to the Sign In page. It’s better to display a short and crisp message to the user about the need to login to view that page. Please note that forcing users to login to view the content on retail websites is a bad idea. Users must be allowed to login if they need to make a payment or save something to their cart. Eg. Flipkart.
Why not display a dialog with a message while taking the user to Sign In Page?
A dialog just to convey a message is an overhead. Expecting the user to perform an additional step to click ‘Ok’ or whatsoever is a bad usability expectation.
2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?
Since the question talks about going back to the Home Page, a “Back” button is apt. Browser’s “Back” button perfectly serves this purpose.
Providing a “Home” link on every page of the website makes the website more usable across all pages. The website design must be such that “Home” link is placed in a location that is clearly visible. User must be able to go to Home page no matter which part of the website he is on.
Having “Close” or “Cancel” option adds to user confusion. “Close” is generally attributed to closing the currently open page or dialog. “Cancel” is meant to cancel ‘In Progress’ operations. Using these terms will deviate the user from what he intends to do on the website. Hence, it’s better not to use these words to switch to Home page on websites.
3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. – Is it a problem or what is your thought process?
I am used to “Log out” option on right hand top corner of the page. I was fuming when Google and Linked In made it a 2-step process where user needs to click on his “” hyperlink, click on “Log out” to log out successfully. Why accomplish the same task in 2 steps when it can be done in 1 step.
We need to optimize the number of clicks used to access any feature on user facing applications. Top class CRM companies follow a guideline as follows: “User must be able to access any feature on the application with 4 clicks or less”.
If I happen to use sites where Log out feature is on top left hand side or left hand sidebar, I would struggle initially to learn where the Log out option is. Once I learn, I would go back to the same place the next time I log in. Please note that this is where learnability and memorability comes into picture. Log out option must be placed such that it is easy for a user to learn quickly. Also, The Log out button design and position must be memorable and easy to recall. It must be good enough for users to be able to remember where it was the next time they login to differently designed websites.
4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?
I often forget my security answer. Where do I go? I would call the support team ;). This means the organization running the website needs to have a toll free number or a 24/7 support line. This also means that there need to be support personnel to support the calls 24/7. This also means appropriate office infrastructure needs to be in place to setup a place for support folks. This is huge cost. Any organization professing for security without having above system in place could lose credibility with users.
The regular questions of “What is the name of your first pet?”, “Which school did your grandma go to?” are way too easy to guess for an amateur hacker using social engineering attacks. It would be a good idea to allow the user to frame his questions. This way, there is some amount of confidentiality involved.
Again, the security answer must be masked. What is the point doing something that could be seen by any person sneaking into your computer (Shoulder Surfing)? It’s important to maintain secrecy of secret questions and answers. Please note that there is always a risk of people forgetting secret questions and/or answers. In all probability, some people would write it in a sheet of paper or maintain a dairy of passwords ;-). I won’t dare to say women do this for fear of hate mails :-)
5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.
My design for Forgot Password would be a 3-step process as follows:
Step 1: Identify the user
There needs to be a clear cut mechanism to identify that the user who has initiated “Forgot Password” option is a genuine user of the system. I would implement a 3 step verification process to identify the user.
a. Firstly, I would ask for a valid username/email address.
b. Secondly, an additional step could be introduced to make Forgot Password feature a little more secure. I would include a step wherein a randomly generated security code could be emailed/messaged (sms) to the user (assuming email address/phone number is provided by the user during this step). User has to look up the security code received in email/sms and key in on this page to go to next step. Eg. security devices from HSBC bank or Security code in SBI for online transactions.
c. Thirdly, have a strong captcha to prevent spam bots from accessing Forgot Password feature. Captcha must not be simple enough to be cracked by hackers. It’s important to have a robust set of captchas so that there is no room for automating this step and get over it.
Warning
Username/email address field must not be sent as a form parameter when the user submits this page. This data must be stored on the server. If this gets retained in browser cache or gets sniffed over the network, it could be party time for hackers.
Some security evangelists suggest including a data gathering phase in Step 1 by asking details for any 3 data points from the following list - email address, account number, last name, customer number, date of birth, last 4 digits of social security number, zip code or others.
There is a serious threat to Forgot Password feature if above information is used to identify the user. With some amount of social engineering (http://curioustester.blogspot.in/2011/12/social-engineering-attacks.html)on the internet and at a personal level, hackers could get any of the above information easily. Let me give you an example - I need the email address of Sachin Bansal, CEO and co-founder of Flipkart. I know that the domain is flipkart.com as I get all of my Flipkart order information from cs@flipkart.com. The first part of the email address could be Sachin.Bansal or Sachin_Bansal or sbansal or sachinb or sachin or sb.I can start by attaching this to @flipkart.com and get the real email address in all probability. And then, we have Facebook, we have other social media sites to confirm if our research fetched the right result or not. Welcome to the insecure and public world of social media! Your security is at stake!
Step 2: Test if the user is a genuine user
If you happen to be on a few bank websites, there are a host of security questions posed to you to identify if you are a genuine user or not (second level check). Presenting the user with a ready-made security question like “What is the name of the school where you studied” or “What is the year of your graduation” are dangerously scary questions. As I mentioned in Step 1, social engineering attacks can help hackers find such information pretty easily.
Create your own security question
My implementation would mandate the user to create his/her question and provide a security answer. This way, there is some amount of confidentiality involved.
Mask your security answer
Again, the security answer must be masked. What is the point doing something that could be seen by any person sneaking into your computer (Shoulder Surfing)? It’s important to maintain secrecy of secret questions and answers.
Warnings
1. There is a support cost involved if Step 2 gets implemented. What if user forgets the security answer? What if user forgets the security question? This calls for a 24/7 customer support to fix user problems. Please note that there is always a risk of people forgetting secret questions and/or answers. In all probability, some people would write it in a sheet of paper or maintain a dairy of passwords ;-). I won’t dare to say women do this for fear of hate mails :-)
2. Another problem with this solution is the fact that users might set a weak security question. If users end up setting simple questions, it’s no better than ready-made questions already asked in many websites.
Step 3: Reset the password
If user clears Step 1 and Step 2 above, he must be taken to a simple page where New Password and Confirm New Password fields must be present. Ample password complexity must be enforced. Password strength indicator could be a good guide for users to set strong passwords. Once the user has changed the new password, the system should log out the user and ask him/her to return to login page and re-login.
Do’s and Don’ts while designing Forgot Password feature
Do’s
a. Passwords must not be stored in plain text or using weak encryption methods in databases. It’s better to use hashing mechanism to store passwords, the standard being SHA-256
b. AutoComplete must be set to Off on all pages relating to Forgot Password feature. This way, valid usernames won’t be revealed to users who access the same website
c. If the user has reset the password, it is a good practice to send an email to the user indicating the password has changed. Email must not contain username or password information. This will facilitate non-repudiation
d. Sending sensitive information using HTTP GET method is not safe as such parameters get sent as part of the URL and recorded in server logs and browser history. Forgot password page data must be sent as HTTP POST data in http request body
Don’ts
a. Don’t Email the password (permanent or temporary) to user’s email address. Emailing the password means the emailed password is easily visible for hackers sniffing over the network traffic
b. Having a username in the same email will be a bonus for the hacker as he has username and password in the same email if he happens to receive any such email due to a flaw in Forgot Password feature
c. This mechanism could possibly mean password is stored in the backend database in unencrypted format or using a simple encryption algorithm that is easy to crack at database level
d. Shoulder surfing could be used by some folks around you at work or home and get your password easily
e. If a temporary password is emailed to the user, the user is expected to reset the password. Until the time user resets the password, the temporary password could become accessible for hackers in one way or another. If hackers have discovered a patter with temporary password, they could easily crack it. For eg, for one famous bug tracking system that I used in the past, ‘password’ is the temporary password. I can login in as anyone if I have their first name and last name :-)
f. If a temporary password is emailed to the user, there’ll be a hyperlink provided to the user to reset the password. The validity of this hyperlink needs to be handled. What if user doesn’t reset the password within designated time? What if the hyperlink is not limited to time use?
6. There is neither account lockout policy nor captcha for the login or security answer forms; what kind of problems do you see with the current implementation and what do you propose?
What if there is no account lockout policy?
Scenario 1
Assume there was no account lockout policy on your HDFC bank account. Suppose that you want to cause harm to a person whom you hate at work. Just steal his official correspondence from publicly accessible pigeonhole at office and get his customer id. Sometimes, his dustbin could have some torn bank paper which has confidential details. Once you get first part of the detail, you could exercise brute force attack or dictionary attack to crack the password. Since there is no account lockout policy, there is no fear of account getting locked and hence stopping the trials. If you apply a few social engineering principals and get to know his wife, kids, pet’s or hobbies, you could build a customized dictionary of passwords and execute them to access the bank account.
Scenario 2
Assume you are a proud owner of Gmail with unlimited access to emails and the space, of course! Assume Gmail did not have account lockout policy. Anyone could get your Gmail - email address and use it to crack your account.
Following is a short write-up of how anyone with a little sharp brain could hack your passwords and crack your email accounts:
1. Password has names of your family member's names, girlfriend, boyfriend, best friend, kids’ names, and gods’ names - LoveuJohn
2. Password has your Date of Birth information - Pooja81
3. Password is same as your username - Rob123
4. Password has your age information at the time of account registration - Amy18
5. Password has minimum number of characters starting from 1 and easy to attack using brute force method
6. Password allows alphabets (capital/small), numbers or special characters without mandating any rules
7. Password is a commonly used word like password, admin, administrator, test, user, guest, James etc
8. Using your nick name or your pet's name.
9. Using same password for personal, official, financial accounts
10. Using poor password validations that don't verify incorrect passwords
11. Using applications that don't validate passwords after 'n' number of attempts
12. Using numbers as password - 12345678
13. Using names of games/hobbies/interests - cricket, football, chess
14. Names of favourite animals
15. And many more easy options....
Here's a list of Most Popular passwords in 2011 courtesy - http://gizmodo.com/5861667/the-25-most-popular-passwords-of-2011
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 12312
21. 654321
22. superman
23. qazwsx
24. michael
25. football
Is your password same or close to one of the above?
Moral of the story
Never ever have an account on the website where account lockout policy is not implemented.
What if there is no captcha?
No Captcha on Registration forms
This is a wholesome option. I recently needed 50 valid email accounts to be created for testing a website. All I did is write a simple automated script using iMacros (FREE add-on) for account registration and creation. All I had to do is activate these email accounts manually (note that this step could have been automated too). At the end of the testing effort, these accounts were discarded. Now, if you are a company that allowed 50 email accounts for a single imposter, you lose an awful lot of revenue. Is this what you want? If you had a captcha in place, my script would have failed as captcha expects different data at each times which needs human intervention. Building a captcha on registration forms is a good design idea to snub away not-so-serious users or spammers.
No Captcha on Forgot Password forms
If there is no captcha on Forgot Password form, I would possibly write a script to feed in umpteen number of valid email addresses to the Forgot Password page. Why would any user do that? He could be a cranky user. He might draw fun in irritating fellow users. He might be an unethical hacker. He doesn’t know what to do with his life!
No Captcha on Comments forms on websites and blogs
As a blogger, I get a lot of spam comments advertising Viagra and Penis Enlargement. I wish spammers took segmentation and targeting seriously and routed their ads to appropriate audience :-). Without a captcha in place, spammers can write easy little scripts to post these *free ads* in the comments section of any website. Having a captcha would require human intervention which in turn might block spam.
What do I propose?
I propose account lockout policy with 5-10 re-attempts as required by the application based on the domain and the context. It’s very important to have captcha in place in scenarios described above.
7. Well, it is about context and there are no best practices in general. What are your thoughts on usage of captcha? Where should they be used and why?
Captcha is a program that protects websites from bots by presenting tests that humans can pass, but automated scripts or programs can’t. These days there is a rise in the number of bots that use websites in harmful (or rather spamful) ways.
In each of the above cases, it is important to restrict bots from causing unnecessary harm to the websites. Above actions might overload the server with too many requests hence bringing down the server due to performance overhead. To avoid this and other similar situations, its good to bring in a captcha.
To be continued with Part 2 next week.............................
Regards,
Pari
1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?
Why take the user to Sign In page?
I always face this problem on FashionandYou :-). If I had to click on a hyperlink which required me to Sign in, I expect to be taken to the Sign In page where a message “This requires you to be logged in” is displayed to me. This solution offers 2 benefits - one, it tells me why I am taken to Sign In page. Two, it takes me to the correct page.
Why not take the user to Sign Up page?
It’s incorrect to assume that all users who are not logged in are new users. There could be few existing users who are interested to browse without logging in. Taking existing users to the Sign Up page might offend the users.
Why display a message while taking the user to Sign In Page?
Some users won’t understand why clicking on a hyperlink is taking them to the Sign In page. It’s better to display a short and crisp message to the user about the need to login to view that page. Please note that forcing users to login to view the content on retail websites is a bad idea. Users must be allowed to login if they need to make a payment or save something to their cart. Eg. Flipkart.
Why not display a dialog with a message while taking the user to Sign In Page?
A dialog just to convey a message is an overhead. Expecting the user to perform an additional step to click ‘Ok’ or whatsoever is a bad usability expectation.
2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?
Since the question talks about going back to the Home Page, a “Back” button is apt. Browser’s “Back” button perfectly serves this purpose.
Providing a “Home” link on every page of the website makes the website more usable across all pages. The website design must be such that “Home” link is placed in a location that is clearly visible. User must be able to go to Home page no matter which part of the website he is on.
Having “Close” or “Cancel” option adds to user confusion. “Close” is generally attributed to closing the currently open page or dialog. “Cancel” is meant to cancel ‘In Progress’ operations. Using these terms will deviate the user from what he intends to do on the website. Hence, it’s better not to use these words to switch to Home page on websites.
3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. – Is it a problem or what is your thought process?
I am used to “Log out” option on right hand top corner of the page. I was fuming when Google and Linked In made it a 2-step process where user needs to click on his “
We need to optimize the number of clicks used to access any feature on user facing applications. Top class CRM companies follow a guideline as follows: “User must be able to access any feature on the application with 4 clicks or less”.
If I happen to use sites where Log out feature is on top left hand side or left hand sidebar, I would struggle initially to learn where the Log out option is. Once I learn, I would go back to the same place the next time I log in. Please note that this is where learnability and memorability comes into picture. Log out option must be placed such that it is easy for a user to learn quickly. Also, The Log out button design and position must be memorable and easy to recall. It must be good enough for users to be able to remember where it was the next time they login to differently designed websites.
4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?
I often forget my security answer. Where do I go? I would call the support team ;). This means the organization running the website needs to have a toll free number or a 24/7 support line. This also means that there need to be support personnel to support the calls 24/7. This also means appropriate office infrastructure needs to be in place to setup a place for support folks. This is huge cost. Any organization professing for security without having above system in place could lose credibility with users.
The regular questions of “What is the name of your first pet?”, “Which school did your grandma go to?” are way too easy to guess for an amateur hacker using social engineering attacks. It would be a good idea to allow the user to frame his questions. This way, there is some amount of confidentiality involved.
Again, the security answer must be masked. What is the point doing something that could be seen by any person sneaking into your computer (Shoulder Surfing)? It’s important to maintain secrecy of secret questions and answers. Please note that there is always a risk of people forgetting secret questions and/or answers. In all probability, some people would write it in a sheet of paper or maintain a dairy of passwords ;-). I won’t dare to say women do this for fear of hate mails :-)
5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.
My design for Forgot Password would be a 3-step process as follows:
Step 1: Identify the user
There needs to be a clear cut mechanism to identify that the user who has initiated “Forgot Password” option is a genuine user of the system. I would implement a 3 step verification process to identify the user.
a. Firstly, I would ask for a valid username/email address.
b. Secondly, an additional step could be introduced to make Forgot Password feature a little more secure. I would include a step wherein a randomly generated security code could be emailed/messaged (sms) to the user (assuming email address/phone number is provided by the user during this step). User has to look up the security code received in email/sms and key in on this page to go to next step. Eg. security devices from HSBC bank or Security code in SBI for online transactions.
c. Thirdly, have a strong captcha to prevent spam bots from accessing Forgot Password feature. Captcha must not be simple enough to be cracked by hackers. It’s important to have a robust set of captchas so that there is no room for automating this step and get over it.
Warning
Username/email address field must not be sent as a form parameter when the user submits this page. This data must be stored on the server. If this gets retained in browser cache or gets sniffed over the network, it could be party time for hackers.
Some security evangelists suggest including a data gathering phase in Step 1 by asking details for any 3 data points from the following list - email address, account number, last name, customer number, date of birth, last 4 digits of social security number, zip code or others.
There is a serious threat to Forgot Password feature if above information is used to identify the user. With some amount of social engineering (http://curioustester.blogspot.in/2011/12/social-engineering-attacks.html)on the internet and at a personal level, hackers could get any of the above information easily. Let me give you an example - I need the email address of Sachin Bansal, CEO and co-founder of Flipkart. I know that the domain is flipkart.com as I get all of my Flipkart order information from cs@flipkart.com. The first part of the email address could be Sachin.Bansal or Sachin_Bansal or sbansal or sachinb or sachin or sb.I can start by attaching this to @flipkart.com and get the real email address in all probability. And then, we have Facebook, we have other social media sites to confirm if our research fetched the right result or not. Welcome to the insecure and public world of social media! Your security is at stake!
Step 2: Test if the user is a genuine user
If you happen to be on a few bank websites, there are a host of security questions posed to you to identify if you are a genuine user or not (second level check). Presenting the user with a ready-made security question like “What is the name of the school where you studied” or “What is the year of your graduation” are dangerously scary questions. As I mentioned in Step 1, social engineering attacks can help hackers find such information pretty easily.
Create your own security question
My implementation would mandate the user to create his/her question and provide a security answer. This way, there is some amount of confidentiality involved.
Mask your security answer
Again, the security answer must be masked. What is the point doing something that could be seen by any person sneaking into your computer (Shoulder Surfing)? It’s important to maintain secrecy of secret questions and answers.
Warnings
1. There is a support cost involved if Step 2 gets implemented. What if user forgets the security answer? What if user forgets the security question? This calls for a 24/7 customer support to fix user problems. Please note that there is always a risk of people forgetting secret questions and/or answers. In all probability, some people would write it in a sheet of paper or maintain a dairy of passwords ;-). I won’t dare to say women do this for fear of hate mails :-)
2. Another problem with this solution is the fact that users might set a weak security question. If users end up setting simple questions, it’s no better than ready-made questions already asked in many websites.
Step 3: Reset the password
If user clears Step 1 and Step 2 above, he must be taken to a simple page where New Password and Confirm New Password fields must be present. Ample password complexity must be enforced. Password strength indicator could be a good guide for users to set strong passwords. Once the user has changed the new password, the system should log out the user and ask him/her to return to login page and re-login.
Do’s and Don’ts while designing Forgot Password feature
Do’s
a. Passwords must not be stored in plain text or using weak encryption methods in databases. It’s better to use hashing mechanism to store passwords, the standard being SHA-256
b. AutoComplete must be set to Off on all pages relating to Forgot Password feature. This way, valid usernames won’t be revealed to users who access the same website
c. If the user has reset the password, it is a good practice to send an email to the user indicating the password has changed. Email must not contain username or password information. This will facilitate non-repudiation
d. Sending sensitive information using HTTP GET method is not safe as such parameters get sent as part of the URL and recorded in server logs and browser history. Forgot password page data must be sent as HTTP POST data in http request body
Don’ts
a. Don’t Email the password (permanent or temporary) to user’s email address. Emailing the password means the emailed password is easily visible for hackers sniffing over the network traffic
b. Having a username in the same email will be a bonus for the hacker as he has username and password in the same email if he happens to receive any such email due to a flaw in Forgot Password feature
c. This mechanism could possibly mean password is stored in the backend database in unencrypted format or using a simple encryption algorithm that is easy to crack at database level
d. Shoulder surfing could be used by some folks around you at work or home and get your password easily
e. If a temporary password is emailed to the user, the user is expected to reset the password. Until the time user resets the password, the temporary password could become accessible for hackers in one way or another. If hackers have discovered a patter with temporary password, they could easily crack it. For eg, for one famous bug tracking system that I used in the past, ‘password’ is the temporary password. I can login in as anyone if I have their first name and last name :-)
f. If a temporary password is emailed to the user, there’ll be a hyperlink provided to the user to reset the password. The validity of this hyperlink needs to be handled. What if user doesn’t reset the password within designated time? What if the hyperlink is not limited to time use?
6. There is neither account lockout policy nor captcha for the login or security answer forms; what kind of problems do you see with the current implementation and what do you propose?
What if there is no account lockout policy?
Scenario 1
Assume there was no account lockout policy on your HDFC bank account. Suppose that you want to cause harm to a person whom you hate at work. Just steal his official correspondence from publicly accessible pigeonhole at office and get his customer id. Sometimes, his dustbin could have some torn bank paper which has confidential details. Once you get first part of the detail, you could exercise brute force attack or dictionary attack to crack the password. Since there is no account lockout policy, there is no fear of account getting locked and hence stopping the trials. If you apply a few social engineering principals and get to know his wife, kids, pet’s or hobbies, you could build a customized dictionary of passwords and execute them to access the bank account.
Scenario 2
Assume you are a proud owner of Gmail with unlimited access to emails and the space, of course! Assume Gmail did not have account lockout policy. Anyone could get your Gmail - email address and use it to crack your account.
Following is a short write-up of how anyone with a little sharp brain could hack your passwords and crack your email accounts:
1. Password has names of your family member's names, girlfriend, boyfriend, best friend, kids’ names, and gods’ names - LoveuJohn
2. Password has your Date of Birth information - Pooja81
3. Password is same as your username - Rob123
4. Password has your age information at the time of account registration - Amy18
5. Password has minimum number of characters starting from 1 and easy to attack using brute force method
6. Password allows alphabets (capital/small), numbers or special characters without mandating any rules
7. Password is a commonly used word like password, admin, administrator, test, user, guest, James etc
8. Using your nick name or your pet's name.
9. Using same password for personal, official, financial accounts
10. Using poor password validations that don't verify incorrect passwords
11. Using applications that don't validate passwords after 'n' number of attempts
12. Using numbers as password - 12345678
13. Using names of games/hobbies/interests - cricket, football, chess
14. Names of favourite animals
15. And many more easy options....
Here's a list of Most Popular passwords in 2011 courtesy - http://gizmodo.com/5861667/the-25-most-popular-passwords-of-2011
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 12312
22. superman
23. qazwsx
24. michael
25. football
Is your password same or close to one of the above?
Moral of the story
Never ever have an account on the website where account lockout policy is not implemented.
What if there is no captcha?
No Captcha on Registration forms
This is a wholesome option. I recently needed 50 valid email accounts to be created for testing a website. All I did is write a simple automated script using iMacros (FREE add-on) for account registration and creation. All I had to do is activate these email accounts manually (note that this step could have been automated too). At the end of the testing effort, these accounts were discarded. Now, if you are a company that allowed 50 email accounts for a single imposter, you lose an awful lot of revenue. Is this what you want? If you had a captcha in place, my script would have failed as captcha expects different data at each times which needs human intervention. Building a captcha on registration forms is a good design idea to snub away not-so-serious users or spammers.
No Captcha on Forgot Password forms
If there is no captcha on Forgot Password form, I would possibly write a script to feed in umpteen number of valid email addresses to the Forgot Password page. Why would any user do that? He could be a cranky user. He might draw fun in irritating fellow users. He might be an unethical hacker. He doesn’t know what to do with his life!
No Captcha on Comments forms on websites and blogs
As a blogger, I get a lot of spam comments advertising Viagra and Penis Enlargement. I wish spammers took segmentation and targeting seriously and routed their ads to appropriate audience :-). Without a captcha in place, spammers can write easy little scripts to post these *free ads* in the comments section of any website. Having a captcha would require human intervention which in turn might block spam.
What do I propose?
I propose account lockout policy with 5-10 re-attempts as required by the application based on the domain and the context. It’s very important to have captcha in place in scenarios described above.
7. Well, it is about context and there are no best practices in general. What are your thoughts on usage of captcha? Where should they be used and why?
Captcha is a program that protects websites from bots by presenting tests that humans can pass, but automated scripts or programs can’t. These days there is a rise in the number of bots that use websites in harmful (or rather spamful) ways.
Imagine a bot written to register on www.yahoo.com. The script would hit the registration page, fill in all fields as programmed from a data file and submit the registration page. If the bot repeated this for say a million customers that is a huge loss of revenue for Yahoo! Why would anyone do that? He may be frustrated with yahoo. He may want to frustrate Yahoo and get fun out of it. He may want to create a performance overhead on Yahoo servers etc. - Imagine a bot accessing Forgot Password page. Anyone could write a program to pump in all valid usernames/email addresses and try re-setting passwords for umpteen numbers of users. This not just clogs the server, but could result in millions of customers filing lawsuits against such a website for breaching trust.
- Imagine running a website where you receive millions of comments on your website or blog. A bot is usually at work posting all those scary ads on products you may not be interested in. What if your website ran out of energy to take any more comments? It would just crash. Your credibility is at stake.
Subscribe to:
Posts (Atom)