Well, it finally happened. I’d been telling a client that their email passwords were not strong enough for months, but we’d been unable to nail down a time or strategy to fix it. In a slightly passive aggressive move, every time they asked me to set up a new email address with a simple password I ignored that and used a much stronger one, so we were slowly getting there simply by natural attrition!
Then on Sunday afternoon an email came through from the hosting company (in America) that one of the oldest accounts had been compromised and was sending spam. So they’d decided to take action. Well, how bad could it be?
Pretty bad-
1. No outgoing email for the entire domain
2. refuse to allow outgoing email until we provided a screen shot of a clean virus scan of the affected machine
3. recommend changing passwords for all email addresses on domain
That’s fairly reasonable and I don’t think we could argue that the response was over the top. But what real world effect did this have? Well, it meant that about 10 people could not send email for an entire day. Why? Because it took that long to scan, screenshot and send to the host to prove we were no longer affected. And to be honest there was no problem with the machine- the email account had been compromised because it used a password that was too simple. A brute force attack would have lowered the trousers on the account in about 2 seconds.
The days of using simple, easily remembered and much recycled passwords are over. Open Textedit, make your hand into a fist, and push a few random keys with your fist. Include a grammatical mark somewhere. Instant new password! Can’t remember it? You don’t need to if your computer does- use iCloud Keychain, 1Password, LastPass, KeePass, RoboForm or another utility to remember them for you.
What did we learn from this?
1. Using crappy passwords will get you into trouble eventually
2. It may not be just you who is affected
3. This would have been easier to fix if the host was in Australia
4. Remediation can take a long time, simply setting a date and resetting the passwords would have been quicker
*HINT- if you are using cpanel it has a built in password strength checker. You should assume that any password with a strength of less than 70/100 is useless
How long would it take to crack your password? Remember this was written in 2011…… and this was 2 years later. You can try your password out here. When I input this customers email password (now changed) I get the disturbing news ‘it would take a desktop PC about 19 seconds to crack your password’. Lovely.
We did reset all of the passwords while waiting for the virus scan to complete, so that part did not take any extra time, but of course there was one more hurdle to overcome- not all of the clients were available to change their passwords and so there were many failed logins after the password change. This made the hosts firewall block ALL login attempts- meaning that all staff at that site were prevented from using email again. Lucky this was simple to fix.
Please have a think about whether your passwords are adequate, and if you need to change some- don’t delay- contact us asap so we can help!