Potential Password Problems: Signs That It's Time to Move On
Before joining or remaining with an Internet site, review its password security practices and abilities.
- Is the password sent over an encrypted connection? It does you little good to create an unguessable password if it will be sent across the Internet unencrypted. Find out whether encryption is used with the application.
- What is the password's minimum and maximum length? Beware of websites and applications that don't insist on a minimum length, or that declare a maximum password length in the single digits.
- What characters does the site support? Is the password limited to uppercase or lowercase? Are punctuation characters allowed in the password? If not, these limitations may corral you into using passwords that are more guessable than you intend.
- Are the password-reset challenge questions predictable or easily researched? Once the challenge answers are guessed, what can the attacker do? Vice-presidential candidate Sarah Palin's Yahoo! account was cracked because the hacker simply learned all he could about her. Thus, he was able to answer all of her challenge questions and then take control of her account.
- Is the account locked if too many incorrect responses are given? Beware of assuming that this feature is implemented and that it will work. Many systems cannot implement a persistent counter, so hacker tools take two tries at your password and then skip to another account. When the tool returns to hacking your ID and password, will the system "remember" the past two incorrect guesses?
- What are the password-reset mechanics? Is the password reset sent to an email account with lousy password policies? In today's dispersed web world, even account lockup is not the panacea it once was.
- Is the account lockup permanent or temporary? I've got good news and bad news for you. Good news: Your account is locked. Bad news: The lockout resets automatically after 20 seconds—enough time for the script to work on three other accounts before trying your account again.