Ouch, Twitter, Ouch - Lessons in Password Security

Yesterday, Wired carried a report of several prominent Twitter accounts getting hacked. The first problem with Twitter's security is that they weren't throttling invalid password attempts on their accounts, so it was just a matter of time and poor passwords before a malicious party got in. Unfortunately for Twitter, the hacked account was a staffer with the ability to change the password on every user account. Barack Obama, Britney Spears and Fox News were compromised, along with quite a few others. It was a classic and simple hack.

The second problem Twitter had is the same problem that every network administrator deals with -- the users. It is so important for all users of a system, but particularly those with administrative access, to follow good password procedures. Here are some good guidelines to remember:

• The longer your password is, the more computation is required in cracking it. Passwords should be at least 8 characters.
• Passwords should use a mix of characters - numbers, upper and lower case letters and special characters if the system allows for it. L33tsp3@k 1s v3ry us3ful h3r3.
• Passwords should not be dictionary words and certainly should not be named after a person or a pet, even if you tack on some numbers at the end. "Fluffy12" is not nearly as good of a password as "il1k3d0gs!".
• Passwords should not be shared, unless completely unavoidable. If several people at a company are sharing a password for a company account, it should be changed immediately if one of those people leaves the company.
• Passwords should be changed on a regular basis, but not so frequently that the user has to write down the changed password on post-it notes to remember it. Naturally, written down passwords should be avoided - if a user has too many passwords to remember, invest in encrypted password storage software. It's worth it.

For those of you that are administering Junction Networks accounts, this security is really important. Can you imagine the damage that a malicious user could do to your company if your account was compromised? Our interface gives the ability to route your company's phone numbers, set up your auto-attendant and manage users - so a malevolent user could easily delete all of those things (or worse, reroute them to something really inappropriate).

Without security, any system becomes unusable. We cannot stress it enough. To change your administrative user password with Junction Networks, log into OnSIP, then click on "Account" and click "Change admin password".