Create an account or change the password to evaluate the password policy
Test simple passwords (only numbers, only letters, short passwords, common ones like 123456) and check whether they are accepted
Identify the minimum and maximum password length by testing very short and very long passwords
Try using the username or personal information inside the password and observe the result.
Change the password multiple times and attempt to reuse a previous password
Perform multiple failed login attempts and check whether account lockout or rate limiting is enforced
If alternative factors such as PIN or security questions exist, test whether they are guessable or vulnerable to brute force
Finally, determine whether weaknesses exist in password complexity, password reuse protection, or brute-force protection
Last updated 1 month ago
