New Password Policy
27 November 2017
A lot of you will be familiar with a password policy that involves:
- a minimum number of characters;
- at least one lowercase character;
- at least one UPPERCASE character;
- at least one number; and
- a special character, for good luck.
What you may not know is that this was never a good policy and that it's implementation has resulted in a cornucopia of easily hackable passwords.
In implementing a new policy, we found that most of the vulnerable passwords in our system take the form:
The issue here is not that someone can 'guess' your login. That is unlikely as we allow only a small number of tries before blocking an IP address from further attempts.
The issue is that if the password hashes that we store are ever exposed, a simple brute-force approach will give hackers access to email address and password combinations which they can then try on other systems.
In recent years there have been any number of high-profile hacks/leaks, from Yahoo and LinkedIn to MySpace and Dropbox, with millions of user accounts exposed.
To get ahead of the problem, our new password policy uses open source libraries to validate and measure the strength of a password, rejecting low quality passwords, and providing user feedback in terms of a password strength score from 1-100.
These libraries, being open source, will update over time to counter any emerging vulnerability patterns.
So what makes a good password?
- a sequence of words, with spaces;
- the first letters of words from your favourite song or quote;
- a completely random string of 10-12 characters;
- using a password manager.
For more information on what constitutes a good (or bad) password policy, please refer to the link below.