How to prove that authentication system works, and that the customer is using the wrong password?
There's not a really quick way to prove this because the hash is designed not to be reversible.
You could take their claimed password, and manually generate the hash as @TechTreeDev suggested. You should be using a salted hash (i.e. BCrypt) so make sure you use the same salt.
If the manually generated hash matches, then you've proved an issue in the login code.
More likely the generated hash will be different, then you've ruled out login code issues, but there still could be an issue with the password setup, or a mistake in your manual generation.
That's pretty much the extent of what you can do to check a single person's password. Beyond that we get into system testing.
If you suspect an intermittent/random chance edge case, you could create a monkey test script to set up passwords and then try them. This approach is probably overkill though.
The best thing is to review your login code and all points that reset the password. The code should be as short and concise as possible. In my experience, the best way to rule out edge case issues is with code review, as such edge cases are often not covered by manual testing.
A few things to specifically look for:
Make sure that
maxlengthsetting is consistent (or better yet, not present) on any password<input>s. You are looking for consistency between password set up and the login form.Make sure there is no server-side truncation.
Make sure that encoding is consistent. If a non-ASCII character is used in the password, the password setup form and login forms need to behave exactly the same.
Also don't automatically strip anything like whitespace or non-ASCII characters from the password. This is the kind of thing you can easily catch with a code review if your code is concise.
Finally some human tips:
Verify they are using the correct username first.
Check the caps lock setting is correct.
Give the customer support folks a log of every date/time of login or of password reset. If there has been at least one login since the last reset then they know the system worked correctly.
As long as the login code is unchanged, and the hash is unchanged since last success, then you can be reasonably certain that the issue must be a mis-typed password.
Review the UX of the Wrong Password error, providing the user with some simple tips and authoritative explanation of possibilities. This may reduce call-ins to customer service.
It may be helpful to email notify the customer when a password is reset to remind them. (or other family member in case of shared accounts)
There's one way to know for sure, and that is calculating the hash of what the user entered, using the same salt, and comparing that with what you have. However, that's what the login process already does and the user doesn't believe that. Why should they believe it when you do it for them?
Instead, you could do what I've been seeing a lot lately, in Windows 10 for example, but also on websites:
Give the user a way to verify what they've entered.
Of course, when logging in, the characters should be represented as dots or other characters, so snoopers can't see the password by looking over the user's shoulder.
But as long as it's in the input field, it hasn't been encrypted or hashed in any way yet. So provide a button that turns those dots into the actual characters.
That way, after entering the wrong password, they can enter it again and see what they've just entered. Or they can check prior to logging in.
Forgotten CapsLocks, hanging Shifts, typos; they can all be detected by the user this way.
To improve your user experience you need first of all add some UI to tell users of the following conditions:
- Caps lock activated
- Warning if there are trailing whitespaces in username
- Warning if there re trailing whitespaces in password
- prevent using whitespaces in email (if using email instead of username)
- prevent using and automatically remove newlines (there are several new line variants)
- prevent using and automatically remove control characters
- if you are using Javascript, some browsers have it disabled, so you have to move these steps on server side.
Also when password inserted is wrong display the following message:
Password or username/mail is wrong, please type it paying attention to lower-case or uppercase letters and all symbols numbers, they must match perfectly. Avoid doing copy-paste because sometimes copying text may add additional unwanted whitespaces and/or newlines.
Keep in mind that your users may be right! I once had a old phone that didn't allowed me to login into a web page, I don't know if that was a text encoding issue but my password was alpha numeric and worked perfectly on a PC.