best web hosting blog

1/02/09

New password strength requirements

Well, we are starting off the new year with some anti-spam issues.

Our web hosting users run the gamut from well-seasoned professionals to technology-intimidated newbies. Up till now, we have tried to allow our users as much latitude as possible with their approach to the web, but twice in the last month, a user's email account on our mail server was found to have a password equal to "password".

This was obviously not secure, and spammers exploited these email accounts. Therefore, we increased the strength requirements for our web hosting email passwords.

So, starting Monday, Feb 2, we increased our email password strength requirements as follows:
8 or more characters in length
1 or more uppercase letters
1 or more lowercase letters
1 or more numerals
Special characters (!@#$%^&*<>:;) are encouraged, but not required.

This start date was several weeks away, allowing us to send 3 notices, one week apart, to all web hosting email users. Some suggestions for creating memorable passwords are permutations of dates and addresses:
Tuesday-March3,1995
1234#CanalStreet!70130

We also told our users not to use obvious entries such as their own current street address or birthday, and we included a link to a pdf with screenshots on how to change their email password. About half-a-dozen users called us with questions. None called us after the second notice.

Hopefully everyone preemptively changed their password, but even so, we are blocking out a lot of extra time on Feb 2 for user support when some people cannot access their email. 

Fortunately for our web hosting users, they will not lose any email. All email will continue to be received; they just won't be able to login to the web mail or POP the email server until their password is updated.