It’s the kind of story that really gets your attention: Twitter, by any measure the most buzzed about network of 2008, got hacked by an 18-year-old!
With absolutely no skill or finesse involved, either. Anybody reading this could have done the same. You just download a free password-cracker program like Crack, John the Ripper, L0phtCrack, or Cain, point it at a log-in page, and leave it run for a couple of days. It’s that simple.
Dictionary attacks have been used since at least the 1980s, before the World Wide Web even came along. System admins have been scolding users for keeping easily guessed passwords around for almost that long. So the fact that you can be on the staff of a hip, trendy ‘Web 2.OH’ company and not know better just goes to show that this problem is never going away.
Jeff gives an interesting solution on the article: making an incrementally increased delay between each log-in attempt. Not too punishing for the legitimate user, but too much of a hurdle for a cracker. Even better are the forms you see here and there on the web, which check your password for a security level when you sign up.
Finally, if OpenID catches on, we just might be able to get all of the problems with user passwords in one spot, where at least they’ll be easier to kill.