skip to content

Latest News

Server upgrades and reboots

The latest Debian 9.4 upgrade includes a new version of bus-daemon which requires a reboot to take effect. While the server...

PHP7 and related upgrades

We're been busy preparing our servers for an upgrade to PHP7. This has involved configuration changes and various library...

New Password Policy

A lot of you will be familiar with a password policy that involves: * a minimum number of characters; * at least one lowercase...

SSL Upgrades

As you may have noticed, we've (finally) upgraded www.chirp.com.au to use SSL (HTTPS) for all requests. This is now becoming...

News RSS Feed

more news

New Password Policy

27 November 2017

A lot of you will be familiar with a password policy that involves:

  • a minimum number of characters;
  • at least one lowercase character;
  • at least one UPPERCASE character;
  • at least one number; and
  • a special character, for good luck.

What you may not know is that this was never a good policy and that it's implementation has resulted in a cornucopia of easily hackable passwords.

In implementing a new policy, we found that most of the vulnerable passwords in our system take the form:

  • Donald123!
  • Password01
  • Star1234

The issue here is not that someone can 'guess' your login. That is unlikely as we allow only a small number of tries before blocking an IP address from further attempts.

The issue is that if the password hashes that we store are ever exposed, a simple brute-force approach will give hackers access to email address and password combinations which they can then try on other systems.

In recent years there have been any number of high-profile hacks/leaks, from Yahoo and LinkedIn to MySpace and Dropbox, with millions of user accounts exposed.

To get ahead of the problem, our new password policy uses open source libraries to validate and measure the strength of a password, rejecting low quality passwords, and providing user feedback in terms of a password strength score from 1-100.

These libraries, being open source, will update over time to counter any emerging vulnerability patterns.

So what makes a good password?

  • a sequence of words, with spaces;
  • the first letters of words from your favourite song or quote;
  • a completely random string of 10-12 characters;
  • using a password manager.

For more information on what constitutes a good (or bad) password policy, please refer to the link below.

Related link

CPU Vulnerabilities: Meltdown & Spectre »

« SSL Upgrades


< latest news