User login

The importance of complex passwords

An incident at the popular web service called Twitter has brought to light the importance of complex passwords. A hacker decided to try to break into a popular user's account at the service. He did so by writing an automated tool that used what's called a dictionary attack to try and guess the user's password. He went to bed and let the tool run all night. The next morning, he found he had broken into the user's account, finding the user's password was set to the word "happiness."

The attack snowballed from that point once he discovered the popular user who's account he had just compromised was part of the support personnel at Twitter and had access to an administrative panel. He was able to use this account, and the administrative panel, to reset anyone's account. He then posted the information on a hacking website and offered access to anyone's account. Several people responded and President-Elect Obama's account was compromised, along with others.

There is plenty of blame to go around, from the application designers allowing unlimited failures on an account (or at least from an IP) with no time restrictions, to the easy access to the administrative panel, to the user with the weak password, and of course, the hacker himself.

This highlights the need for allowing for inconvenience for security reasons. The full article is available here:

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html