Saturday, January 10, 2009

Secure your social networking passwords

It amazes me that an 18-year-old hacker can break into a Twitter admin account and start changing the passwords of famous users with a dictionary attack script. Creating complex passwords is Security 101. Some, including Michael Arrington of TechCrunch, say this breach is proof that Twitter isn't ready for prime time. I disagree. It's not a Twitter problem. It's a problem of not having a strong password policy and users not picking strong passwords.

In general strong passwords:
  • should be at least seven characters long
  • should not contain your user name, real name, or company name
  • should not contain a word you can find in the dictionary
  • should contain a combination of uppercase and lowercase letters, as well as numeral and symbols
Also when changing a password, the new password should be significantly different from the pervious password. Passwords that increment (Password1, Password2, Password3...) are not strong. And passphrases are more secure than passwords. A passphrase is a sequence of words rather than just one password.

If strong passwords aren't required by the service in question, weak passwords are a user problem and are probably just as much of a problem on other social media sites. One way to address this is to require users to use secure passwords. LiveJournal is an example of a service that now requires strong passwords. In fact, LiveJournal has a stronger password policy than my bank.

Facebook, on the other hand, doesn't appear to have any sort of strong password policy at all.

The other way to address this problem is education. The press that the Twitter data breach have generated will hopefully let the general public know that weak passwords dangerous.

Labels: , , ,

1 Comments:

Blogger Aaron said...

I was just complaining to our IT guy today about why the hell my password needs to be changed every 60 days, and why the hell it is so hard to come up with one it will accept. I just got my answer. Great article.

8:46 PM  

Post a Comment

<< Home