Bad Password Security at Twitter
Twitter fell to a dictionary attack because the site allowed unlimited failed login attempts:
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
Coding Horror has more, but—come on, people—this is basic stuff.
EDITED TO ADD (1/14): Twitter responds.
bob • January 12, 2009 8:26 AM
Absolutely the most basic security concept for logins is to have a 2 second delay in responding to a bad password/invalid account (and don’t specify which). Humans (almost) wont even notice, but scripts will be slowed by a factor of 5,000 or so; making brute-force attacks impractical. Basic step#2; after 5 consecutive failures lock the account out for an hour.