Of the highly-visible hacks and data breaches over the past year, a large number of them were related to criminal hackers cracking weak Web passwords. This is arguably the most common Web flaw and something that anyone can exploit at any time. The bad guys don’t want you know this, but “mad hacker skillz”are not required. Wreaking havoc on websites hosting everything from blogs to e-commerce applications to Microsoft Outlook webmail is pretty darned simple if weak passwords are present.
When it comes to Web password-related flaws, it’s clear to me that people:
- Are guilty of creating/using extremely weak Web passwords – this includes all of us – from non-techies to information security professionals. These findings of 10,000 leaked Hotmail passwords say it all.
- Re-use their Web passwords on numerous other business and personal-related websites.
- Don’t think about the long-term consequences of choosing weak Web passwords.
- Haven’t taken the time to understand what makes a good Web password.
So, what can you do to protect yourself, your website(s) and your users? In a nutshell: require passphrases that are simple to remember yet difficult to crack. Note I said passphrases and not passwords. There’s a difference. Passwords are often either too short and easy to crack or too complex and impossible to remember. Both are bad for business.
Passphrases take the concept (and benefits) of strong passwords and turn them into something that the user can actually remember. Here are some examples:
Again, the key is to create passphrases that are relatively simple to remember yet don’t exist in a dictionary and would be next to impossible for someone guess.
Strong passwords don’t equal complete security. There will always be Web vulnerabilities such as SQL injection, missing patches, rogue Web administrators and misconfigured Web sites/applications facilitating Web login attacks that can lead to password exposure. But why not do your part to minimize the risk. It’s much better than being a part of the problem.