skip to content

Latest News

New Password Policy

A lot of you will be familiar with a password policy that involves: * a minimum number of characters; * at least one lowercase...

SSL Upgrades

As you may have noticed, we've (finally) upgraded to use SSL (HTTPS) for all requests. This is now becoming...

Hall Pavilion Secure Online Booking

The new online booking system for the Hall Village Pavilion is now finally live. It includes a calendar showing available...

Server Upgrades - Complete

Following the release of Debian 9 ("Stretch") over the week-end we will be upgrading all our servers over the next couple...

News RSS Feed

more news

New Password Policy

27 November 2017

A lot of you will be familiar with a password policy that involves:

  • a minimum number of characters;
  • at least one lowercase character;
  • at least one UPPERCASE character;
  • at least one number; and
  • a special character, for good luck.

What you may not know is that this was never a good policy and that it's implementation has resulted in a cornucopia of easily hackable passwords.

In implementing a new policy, we found that most of the vulnerable passwords in our system take the form:

  • Donald123!
  • Password01
  • Star1234

The issue here is not that someone can 'guess' your login. That is unlikely as we allow only a small number of tries before blocking an IP address from further attempts.

The issue is that if the password hashes that we store are ever exposed, a simple brute-force approach will give hackers access to email address and password combinations which they can then try on other systems.

In recent years there have been any number of high-profile hacks/leaks, from Yahoo and LinkedIn to MySpace and Dropbox, with millions of user accounts exposed.

To get ahead of the problem, our new password policy uses open source libraries to validate and measure the strength of a password, rejecting low quality passwords, and providing user feedback in terms of a password strength score from 1-100.

These libraries, being open source, will update over time to counter any emerging vulnerability patterns.

So what makes a good password?

  • a sequence of words, with spaces;
  • the first letters of words from your favourite song or quote;
  • a completely random string of 10-12 characters;
  • using a password manager.

For more information on what constitutes a good (or bad) password policy, please refer to the link below.

Related link

« SSL Upgrades

< latest news