skip to content

Latest News

Optusnet email issues - resolved?

As of this morning it appears that Optusnet have retired their own (old and insecure) mail servers in favour of transferring...

The Messaging Company

If you're reading this you may be aware that iiNet and related email addresses have recently been offloaded to The Messaging...

New email hosting package available

Through our new Dreamscape portal you can now subscribe to a hosted email package for your domain, at very reasonable prices....

New Dreamscape Domain Portal

For those of you with domain names registered through Chirp's Dreamscape account, the new portal can be accessed at domains.chirpinternet.eu...

Setting up domain-based email hosting

The process involves setting up mailboxes that your people can access to read and send emails using your domain. Step 1...

News RSS Feed

more news

New Password Policy

27 November 2017

A lot of you will be familiar with a password policy that involves:

  • a minimum number of characters;
  • at least one lowercase character;
  • at least one UPPERCASE character;
  • at least one number; and
  • a special character, for good luck.

What you may not know is that this was never a good policy and that it's implementation has resulted in a cornucopia of easily hackable passwords.

In implementing a new policy, we found that most of the vulnerable passwords in our system take the form:

  • Donald123!
  • Password01
  • Star1234

The issue here is not that someone can 'guess' your login. That is unlikely as we allow only a small number of tries before blocking an IP address from further attempts.

The issue is that if the password hashes that we store are ever exposed, a simple brute-force approach will give hackers access to email address and password combinations which they can then try on other systems.

In recent years there have been any number of high-profile hacks/leaks, from Yahoo and LinkedIn to MySpace and Dropbox, with millions of user accounts exposed.

To get ahead of the problem, our new password policy uses open source libraries to validate and measure the strength of a password, rejecting low quality passwords, and providing user feedback in terms of a password strength score from 1-100.

These libraries, being open source, will update over time to counter any emerging vulnerability patterns.

So what makes a good password?

  • a sequence of words, with spaces;
  • the first letters of words from your favourite song or quote;
  • a completely random string of 10-12 characters;
  • using a password manager.

For more information on what constitutes a good (or bad) password policy, please refer to the link below.

Related link

CPU Vulnerabilities: Meltdown & Spectre »

« SSL Upgrades


< news archive