Does the application allow for and enforce strong passwords?
Does the application require both a username and password?
Does the application avoid using sequential user account numbers?
Do account numbers or usernames follow predictable patterns?
Do customer service personnel select passwords for users rather than users selecting their own?
Does the system create default passwords?
Do account numbers or usernames follow predictable patterns?
Are identifiable account numbers or usernames passed as query strings on URLs?
Do account numbers or usernames unnecessarily appear on HTML pages?
Does the system have large numbers of idle accounts?
Is it possible to determine another user’s account activity?
Are users notified via e-mail after major account changes?
Are password hashes rather than actual passwords stored?
Are password hashes stored using well-established hashing algorithms?
Can encryption keys be easily changed?
Do password hashes use random salts?
Does the application allow for password aging and do passwords expire after a set amount of time?
Does the application enforce password histories to prevent users from reusing passwords?
Is it convenient for users to change their passwords?
Are users reminded to regularly change their passwords?
Does the password change process require the previous password?
Does the system confirm password changes via e-mail?
Does the system expire all active sessions after changing passwords?
Does the system allow only password resets, rather than retrieval?
Does the system require users to answer secret or other questions to reset the password?
Does the system send an e-mail to confirm the password change?
Does the system avoid sending sensitive information via e-mail?
If using temporary passwords, does the system use a strong random password algorithm?
If your system uses temporary passwords, do they have a short expiration period?
Are secret questions treated as password equivalents?
Do the secret questions have a great number of possible of answers?
Does the system avoid secret questions with common answers?
Does the system prevent users from setting their own secret questions?
Is a help page available to educate users on security?
Does the Web site provide other methods to educate users?
Are users able to view a history of transactions and events related to their account?
Are users able to view a history of account logins, including dates, times, and IP addresses?
Do users have an easy and intuitive way to report security incidents?
Can advanced users customize their security options?
Are users able to revoke or delete unused accounts?