Issue-1151: Update WSTG-ATHN-07 (#1176)

* Fix-1151: Update WSTG-ATHN-07

- Reflect agreed name change.
- Update summary for weak credential usage.
- Add a step to the the how to test section.

document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md → document/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md

@@ -1,4 +1,4 @@
-# Testing for Weak Password Policy
+# Testing for Weak Authentication Methods
 
 |ID          |
 |------------|
@@ -8,6 +8,8 @@
 
 The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: `123456`, `password` and `qwerty`.
 
+Additionally, applications may utilize alternative credentials that are treated the same as a password, but are considerably weaker, such as a birthdates, social security numbers, PINs, or security questions. In some scenarios, these more easily guessed credentials may act as the only user supplied value for authentication.
+
 ## Test Objectives
 
 - Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords.
@@ -23,6 +25,7 @@ The most prevalent and most easily administered authentication mechanism is a st
 6. Is the user prevented from using his username or other account information (such as first or last name) in the password?
 7. What are the minimum and maximum password lengths that can be set, and are they appropriate for the sensitivity of the account and application?
 8. Is it possible to set common passwords such as `Password1` or `123456`?
+9. Is the credential chosen for the user by the application, such as a social security number or a birthdate? Is the credential that's utilized in lieu of a standard password easily obtainable, predictable, or susceptible to brute-force attacks?
 
 ## Remediation
 

document/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md

@@ -181,7 +181,7 @@ Once the user has proved their identity (either through a password reset link, a
 
 - Is a strong and effective password policy applied?
 
-  The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) guide for further information.
+  The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) guide for further information.
 
 ## References
 

document/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md

@@ -12,7 +12,7 @@
 
 4.4.6 [Testing for Browser Cache Weaknesses](06-Testing_for_Browser_Cache_Weaknesses.md)
 
-4.4.7 [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md)
+4.4.7 [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md)
 
 4.4.8 [Testing for Weak Security Question Answer](08-Testing_for_Weak_Security_Question_Answer.md)
 

document/README.md

@@ -126,7 +126,7 @@
 
 #### 4.4.6 [Testing for Browser Cache Weaknesses](4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md)
 
-#### 4.4.7 [Testing for Weak Password Policy](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md)
+#### 4.4.7 [Testing for Weak Authentication Methods](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md)
 
 #### 4.4.8 [Testing for Weak Security Question Answer](4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.md)