Last updated on September 4th, 2014 at 08:41 am
Short, dictionary based password must DIE… and here’s why:
We have just found a fairly strong, but short email password compromised on a server (which only has two customers on it) – this allowed scammers from Thailand to send out emails via the customer’s account for a number of hours before they were detected.
Gone are the days when these scammers send out thousands in one blast – they send them out a few a minute, and that can fly under the radar – ie, their slow email scam won’t trigger the systems we have in place which look for massive spikes in email traffic
But back to passwords… We are currently recommending customers consider password no shorter than 12 characters. Over time, the scammers can brute-force attack shorter passwords. We have scanners on our servers which look for multiple failed login attempts from the same IP addresses, and when we find those, we block the scum from accessing the servers, but with the use of botnets, these thieves can use many different IP addresses and continue to try to break your password. We cannot share with you the techniques we use to try to detect scammers attacking accounts – but suffice it to say, we lower the limits and customers will be impacted – or raise the limits and more attacks go undetected for longer. This is a fine balancing act between providing secure + safe services, and inconveniencing our paying customers.
Again – back to passwords:
Any password with a dictionary word included in the password is particularly weak. If you need a random password – use a generator – or a program list lastpass or KeePass2 – these programs can be setup to run on thumb drives, your phone and your laptop. You can sync your password across all devices and use totally random password which are VERY hard to brute-force attack – let alone guess.
You really should embrace password which are not even memorable to you – because if you can remember it, chances are you will use it in many places – and that’s a bad idea as well
Resources: