According to the leader: "An analysis by Verizon, an American telecoms firm, found that the biggest reason for successful security breaches was easily guessable passwords"
The following extract from the article is especially relevant for developers:
"One obvious answer would be for sites to limit the number of guesses that can be made before access is blocked, as cash machines do. Yet whereas the biggest sites, such as Google and Microsoft, do take such measures (and more), many do not. A sample of 150 big websites examined in 2010 by Mr Bonneau and his colleague Sören Preibusch found that 126 made no attempt to limit guessing.When developing your websites, how you manage passwords is vital.
How this state of affairs arose is obscure. For some sites, laxity may be rational, since their passwords are not protecting anything particularly valuable, such as credit-card details. But password laxity imposes costs even on sites with good security, since people often use the same password for several different places.
One suggestion is that lax password security is a cultural remnant of the internet’s innocent youth—an academic research network has few reasons to worry about hackers. Another possibility is that because many sites begin as cash-strapped start-ups, for which implementing extra password security would take up valuable programming time, they skimp on it at the beginning and then never bother to change. But whatever the reason, it behoves those unwilling to wait for websites to get their acts together to consider the alternatives to traditional passwords."
A few ideas:
- Disable account (at least temporarily) after a number of failed logon attempts
- Don't allow the most common x hundred passwords. You can get lists from the internet.
- When people create new passwords remind them not to use the same password as they have used elsewhere.
- Use the chip shop approach - hash and salt the passwords to store them. In other words, don't store passwords in cleartext.