…if you found in a trash bin a post it with username and password on it?
One of the important software tester job is to solve riddles. One of the great testers, Pradeep Soundararajan, is excellent in solving puzzles, but also in creating ones. This blog post is inspired by his work.
Please, put your answer as comment of this post.
What would you do…
Leave a Reply
You must be logged in to post a comment.
I will simply ignore it, and trash it that it should not be in access of any one else. Later I will inform the user to reset his/ her previllages to secure.
Regarding software testing process, I think the user should have notification on his/ her cell phone to do something if some one else is using his/ her id even he is not using.
Hi there, thank you very much for your comment.
Here are my comments on your comment.
"""I will simply ignore it, and trash it that it should not be in access of any one else. Later I will inform the user to reset his/ her previllages to secure."""
What do you exactly mean by words 'simply ignore it'? Because after that sentence you stated the action you would do it in that situation. Tester must be very careful with his words. With that sentence you contradict yourself and you put confusion in information that you want to deliver.
Could you please explain your thought process of finding out who is the actual user of that account? And which account?
"""Regarding software testing process, I think the user should have notification on his/ her cell phone to do something if some one else is using his/ her id even he is not using."""
How is this connected with software testing process? For me, this is feature of the authentication system. Have you ever encountered such a authentication system?
And, regarding this post:
http://www.shino.de/2010/07/22/quality-is-value-to-some-person-at-some-time/
You said that you would inform the user of that account. This is for software tester accurate thinking. But after reading previous post, what are other stakeholders that need to be informed?
I noticed that your site has following statement:
"""Independent software QA and testing company""".
Could you please explain the difference between QA and testing?
Once again, I appreciate your comment a lot. It is a very good starting point for the further discussion.
Regards, Karlo.
I have a few questions, to find out the context.
– Why I am looking at the papers in trash?
– Where is the trash bin located? At the office, my home, random trash bin on the street…
– Is there anything else on the post-it note?
– Did I recognize the username? Meaning, do I know who to contact, in case I want to let them know I found their credentials?
Hi Zeljko,
very good questions!
1. You throw some important post it into trash bin. You reached to take it back and found post it with username/password faced to you with the information. You recognized that is username password because it was written as some_name/some_chars_that_you_assume_are_password_chars. As you are tester, you are intrigued by the discovery and you picked that post it. It is not one of yours username/passwords.
2. At the location of one of your clients. You have been working with them for some time as a contractor software tester.
3.No
4. Here is where your testing job starts. Please explain what you would do next.
Well, few simple steps would be to store the post-it in a safe place and hand it over to the CIO (Chief Information Officer) to take care of that (assuming that the username on it is meaningful to the CIO or other Information Security personell of the client)
A few ideas:
1) If it was facebook/twitter (or similar) username/password of a person I know well, I would try to log in and make a funny post. Probably link to http://www.flickr.com/photos/parmiter/2505803867/ or something similar. I would then let the person know that I found their password and recommend https://lastpass.com/
2) If I was working on a top secret project, I would probably let my manager know that somebody in the team has a really bad plain text password manager.
3) Maybe I would ignore the post-it. Somebody probably changed the password and trashed the old one.
4) Even if the password is not valid any more, probably somewhere in the near there is a post-it with the new password. If the post-it was in the trash near the table I am sitting, I would take a quick look at the tables near the trash looking for post-its. If I find the post it with username and password, I would check if it is the same as the one from the trash. (Checking if the post-in in the trash has old or new password.) I would probably leave a note on the new post-it. Something like "I have hacked your password manager".
Hi Zeljko, here are my comments:
1. Yes, this is what tester should try to do. Try to log on at some of the popular web application/services. But we should be careful about that action because it is not legal.
2. That is the most important action. Tester must provide information about the project/product. It must also provide its suggestions in order to improve the quality of the project/product. Presentation about lastpassword service, or something similar but not as a could service is great example.
4. I would ask following question: "Why somebody throw a post-it with username/password in the trash bin in the first place?". Do people have problem with password management policy? Are there also username/passwords post-its in other trash bins? How often they appear there? How can we help them with that problem?
Zeljko, you put very thoughtful analysis about the problem. Thank you for that.
Hi Manuel, thanks for the comment!
Yes this is one of the actions. But tester should go deeper in the problem investigation. Regarding my comments on Zeljkos post under point 4., what more questions would you ask?
Hope to meet you on next Zagreb STC meetup.
Regards, Karlo.
I would use the details to access their account (assuming I know what the access details were for), and leave a message somewhere in their account area, I had found their username/password, and that they should change their password immediately. Fear is a great weapon 😉 Would then flush post-it note down toilet.
Hi, thank you for your answer.
Yes, this is one action that you could take.
I have following questions for you:
1. What if action that you suggested is against the security rules at that company?
2. Could you elaborate more on your investigation in finding out what are the access details of found account information (for what service is this username/password)?
Regards, Karlo.