One of the most common ways that accounts are compromised (aside from the obvious – leaving your password written down on a piece of paper, making it your birthday, “phishing” emails/websites that masquerade as an authentic communication, or a “low effort” password like the ones outlined in Sandra Lim’s blog entry on “Picking The Right Password”) is via what is known as a “brute force” attack.
Essentially this involves a hacker’s machine going through random passwords with constant login attempts until it hits proverbial paydirt. It’s not terribly elegant (it’s literally pounding away at the login server with password attempts, thus the ‘brute force’ terminology) and you might have noticed that a lot of sites try to combat this by limiting the amount of login attempts you can make before your account is locked out for a period of time – anywhere from an hour to 24 hours.
However, this is still far from standard practice. It can cause significant inconvenience for the legitimate owner of the account if they’re locked out. Attempts to block login attempts by IP address are often fruitless as well since a hacker can easily ‘spoof’ (fake) what IP address their attempts are coming from, or make use of compromised machines (often known as zombie PCs).
Bloomberg Businessweek provides some interesting statistical data on the time it takes for a hacker’s computer to brute force your password based on the length and complexity of your password:
This data hopefully answers the “why?” questions our CSRs often get asked about elements of iiNet’s password policy. Any iiNet password must adhere to the following rules:
1. Should be at least 9 characters in length
2. Should contain a mix of upper and lowercase characters
3. Should contain at least one digit (e.g. 0-9)
4. Cannot be based on your username
5. Cannot contain spaces or tabs.
Any passwords which do not meet these requirements will not be accepted by iiNet’s systems. This applies to staff and customers alike. However, not all password systems are as strict. It’s good security practice to follow those five rules whenever you create a password on any website. Better yet, include symbols.