What should testers know about login security?

As a test , Give us a keyword “ Sign in ”, We may think of more user names for use case design 、 Whether the password verification is legal 、 Is it empty 、 Whether it is correct, and so on .

But in today's information age ,“ Login security ” It has been a very popular and common topic , Today, I would like to share with you my personal knowledge about 「 Login security 」 Basic knowledge of .

Concept popularization

Before understanding login security , Let's popularize two basic concepts ：“ Storehouse ” and “ Crash Bay ”.

Baidu to the original introduction is ：“ Hit the database is a hacker through the collection of Internet users and password information that has been leaked , Generate corresponding dictionary table , After trying to log in other websites in batch , Get a list of users who can log in . And many users use the same account password on different websites , Therefore, hackers can obtain the user's A Website account to try to login B website , This can be interpreted as a collision attack .”

From another angle, you can understand this , Many users' accounts and passwords are aggregated , Formed a “ library ”, Many criminals steal the user's account information , I will try my best to get the real account information of users through various means . This “ Keep trying to get ” Action process of , We can call it “ Collision ”.

There are criminals “ Collision ”, Of course, there are official envoys “ prevent ”, To improve the security of user account information , The programmer （ Just messenger ） When designing login, we will protect the user's account information security layer by layer through a series of means .

Common login security problems

Here, let's popularize the common scenarios that can be determined that the account may be stolen ：

1、 The same code & Different accounts , There are many errors ;

2、 Same account number & Different passwords , There are many errors ;

3、 Get SMS verification code frequently .

The above scenarios have two commonalities , Namely “ In a short period of time ” and“ Same device ”, Because hackers or other criminals , When constantly trying to obtain user account and password information, it is basically to try different account and password combinations on the same device in a short time .

Solution

Based on the commonness of the above common login security problems （“ In a short period of time ” and“ Same device ”）, There is a corresponding and clear solution ：

1、 adopt IP Limit the upper limit of SMS requests for the same user ;

2、 adopt IP Limit the maximum number of password errors for the same user ;

3、 Limit the upper limit of password error of the same user through the account .

Test case design

As a professional tester , Before designing use cases , Besides attention UI Design draft 、 Outside the requirements document , You can also pay attention to the technical documents provided by the development , If conditions permit, we can further understand the corresponding basic implementation principle of development , To some extent, it can help us improve the coverage of our designed test cases , So that we can be more comprehensive 、 More in-depth testing , So as to improve the quality of our products .

From the technical documents developed, we don't need to understand deep technical principles , Just understand the following questions ：

1、 How to control login risk ？

2、 After the user's login behavior is judged as a risk , What corresponding measures will be taken ？

3、 After the user's login behavior is judged as a risk , What can be reused ？

4、 Is there any way to appeal ？

Finally, according to the above idea, you can supplement the corresponding functional test cases , Here is a brief list of some test cases ：

in addition , While supplementing business test cases , Synchronization can focus on the corresponding interface request specification , In order to get the truth of users as much as possible IP, Interfaces may refer to HTTP Request header specification , Require downstream to transmit through when requesting X_FORWARDED_FOR, To distinguish real users IP.

This can be used as an interface testing concern , Reduce due to IP Risk misjudgment caused by reporting errors , Causes normal users to be unable to use product functions normally .

from HTTP Get the user's authenticity in the request IP There are two ways to address , One is from Remote Address gain , The other is from X-Forward-For gain , But their security and usage scenarios are different , If you want to know more knowledge, you can expand it by yourself according to keywords ～

Learn a little every day , Sooner or later, you can change from a rookie to a big man ～

Last ： It can be in the official account ： Sad spicy bar ！ Get one by yourself 216 Page software testing engineer interview guide document information 【 Free of charge 】. And the corresponding video learning tutorial is free to share ！, It includes basic knowledge 、Linux necessary 、Shell、 The principles of the Internet 、Mysql database 、 Special topic of bag capturing tools 、 Interface testing tool 、 Test advanced -Python Programming 、Web automated testing 、APP automated testing 、 Interface automation testing 、 Testing advanced continuous integration 、 Test architecture development test framework 、 Performance testing 、 Safety test, etc. .

I recommend one 【Python Automated test communication group ：746506216】, We can discuss communication software testing together , Learn software testing together 、 Interview and other aspects of software testing , Help you advance quickly Python automated testing / Test Development , On the road to high pay .

Friends who like software testing , If my blog helps you 、 If you like my blog content , please “ give the thumbs-up ” “ Comment on ” “ Collection ” One Key triple connection ！