I came across a very interesting article entitled, “Do Strong Web Passwords Accomplish Anything?” What struck me was that a lot of traditional wisdom about passwords, namely that they be “strong” accompanied by what I am now classifying as a static fail login count then lockout strategy are actually not as effective as I thought.
Highlights of the article:
- Large user ID’s and weak passwords are better than small user ID’s and strong passwords.
- Does it take you the same amount of time to return successfull logins as it does failed logins? If not, then you may be giving away that the user ID is correct even if you generalize the error message.
- A geometrically increasing lockout time associated with IP’s can actually thwart hackers while not penalizing legimitate login attempts.
I am posting this article because it takes what is commonly accepted as effective web login security and shows how lacking it really is and details what can be done to make it much more effective.