One of the first and best rules of practicing good web site security is to make sure passwords are secure. The good news is secure passwords do not have to be impossible to remember, and memorable passwords can still be secure.
So, What is The Problem?
The other day a customer came to me and revealed the password he was using to maintain one of his web sites. It was a password I have seen hundreds of times before from other customers. Now, if I have seen that password that many times, you can guarantee the bad guys have it in their password lists that they use to try to gain access to a typical web site.
Password lists are files which contain strings of common usernames and passwords. They then import this list into a specialized application which is programmed to look for web sites to hack. A modern way of doing this is with a large number of previously infected private computers called “bot nets.” These bot nets are remote controlled by a single hacker. The bot nets are able to attack a single site from lots of different IP addresses (the hacked computers), reducing the chances of it being discovered and blocked by the server’s firewall. Conversely, a single IP address that continuously fails to login, would be easily to discover and would be blocked fairly quickly. Continue reading