Aug8th
Confused.com – lack of password strength
Written by Jon Webb on March 8th, 2009, Posted in Press Releases |
It is amazing how many online services such as confused.com still do not enforce adequate password policies, I was amazed to see that when I came to finally using confused.com and entering my user profile details that I was not allowed to have a password which included special characters such as ^,&,or *, and I was not allowed to use any numbers.
Why is this a “bad thing”TM ? Generally people use straight forward words such as “worthing”, “scrabble” or “letmein” (you get the idea).
All these sorts of words are not just easily guessable, but many freely available password guessing tools can guess these combinations in seconds.
Confused.com Password Strength Analysis
A point in case – we recently performed technical due-diligence on an existing web application and found that all the customer passwords were held unencrypted, along with the customers email addresses. Just think how much damage could be done if somebody with your email address and password could do by accessing services like your online car insurance, internet banking and other online services.
Food for thought.