Don’t Listen to the FTC on Password Security
It may be hard to believe, but even in 2016, brute force attacks remain one of the most common attack vectors on the web. While it’s impossible to guarantee 100% security against brute force attempts, you can get pretty close by using strong passwords, using HTTPS on login pages (also using stronger encryption algorithms), using […]
It may be hard to believe, but even in 2016, brute force attacks remain one of the most common attack vectors on the web.
While it’s impossible to guarantee 100% security against brute force attempts, you can get pretty close by using strong passwords, using HTTPS on login pages (also using stronger encryption algorithms), using two-factor authentication, limiting failed login attempts (and banning those IPs with failed login attempts), adding a CAPTCHA field to login pages, using a firewall to filter malicious traffic, etc.
We all know how important strong passwords are. As part of an experiment, Ars Technica reported that a team of hackers was able to crack 90% of a 16,449 password list — all of which were 16-character, cryptographically hashed passwords. In less than one hour. But security experts are adamant that site owners regularly change passwords as well. Not long ago I believed this was unnecessary, but the recent data breach of Dropbox has changed my mind.