Validating a password protection system involves:
1. Identifying possible threats. The principal threats are
a. Attacker gains access without a password
b. Attacker guesses a password of an authorised user
c. Attacker uses a password cracking tool to discover passwords of authorised users
d. Users make passwords available to attackers
e. Attacker gains access to an unencrypted password file
2. Developing tests that cover each of these threats
a. Test system for all authorised used to check that they have set a password.
b. Test system heuristically for commonly used passwords such as names of users, festivals, other proper names, strings such as '12345' etc.
c. Check that all user passwords are not words that are in a dictionary. A password cracking tool usually checks encrypted passwords against the same encryptions of words in a dictionary.
d. This is very hard to check. To stop users writing down passwords you need to allow words that are in the dictionary and are hence easy to remember.
e. Check that access to the password file is very limited. Check that all copy actions on the password file are logged.