Twitter’s back-end system allowed an unlimited number of attempts and also allowed such a weak password, so Twitter’s development team is partially to blame.

A share of the blame should also go to Twitter’s web analysts. Much like you should set up some type of custom reporting based on server error messages (404’s and 500’s), setting up an alert system and analytics on administrative systems, particularly when it comes to access to those systems, should be a priority for the launch of any site.

However, the majority of the blame should be paced at the feet of the administrator. Whoever did this is not alone. A number of years ago I was involved in a site security audit where we essentially ran the following SQL statement (it wasn’t this simple, but you get the idea):

select password, count(password)
from users
group by password
order by count(password) DESC

The results of this on the site (and, I imagine every site) were shocking. The top positions were held down by passwords such as “password”, “12345″, and the names of cartoon characters.

Factoring in proper nouns, capitalization differences, and prefixes and suffixes, there are only a couple of hundred million passwords that are based on the English language. If the hackers were able to brute-force attack the form at the rate of 10 tries per second, they could exhaust every iteration of every word in English in a month.

If you look at using random letters, numbers, and symbols in a password, the possibilities balloon. A six-character password of this type has over 200 BILLION combinations. At the same rate, it would take a brute-force attack over TEN YEARS to exhaust the possibilities. An eight-character password would take over fifty thousand years! So you can see the power of strong passwords.

To avoid a screw-up of such magnitude with your personal and professional applications, try the following two sites to generate strong passwords (and avoid ones that are actual words):

Automated Password Generator Online: This allows you to set criteria for your potential passwords such as length and character set.

GRC’s Ultra High Security Password Generator: This site generates three types of truly random strings with each page refresh. It also goes into the math of 512-bit encryption.

Good luck and stay safe!

Cross-posted at Tom’s Analytics.

Looks pretty similar, although the print “function” is (finally) now a true function.

I love their “Porting to Python 3.0” bit (my comments added):

0. (Prerequisite:) Start with excellent test coverage. #lulz
1. Port to Python 2.6. This should be no more work than the average
   port from Python 2.x to Python 2.(x+1). Make sure all your tests
   pass. #JHFC
2. (Still using 2.6:) Turn on the -3 command line switch.
   This enables warnings about features that will be removed (or
   change) in 3.0. Run your test suite again, and fix code that you
   get warnings about until there are no warnings left, and all your
   tests still pass. #Fix until their are no warnings… no shit, really?
3. Run the 2to3 source-to-source translator over your source code
   tree. (See 2to3 – Automated Python 2 to 3 code translation for more on this tool.) Run the
   result of the translation under Python 3.0. Manually fix up any
   remaining issues, fixing problems until all tests pass again. #does the 2to3 tool include a suicide pill?

#!/usr/bin/perl

#  How many games would you like to roll?
$iterations = 1000;

for ($count = $iterations; $count >= 1; $count--) {

print "$count \n";

# Bankroll per game.  Rules are set up for a $5 bet on a 3x/4x/5x table.
$bankroll = 200;

$rollcount = 0;
$high = 200;

$itson = 1;

while ($itson == 1) {

	$die1 = int(rand() * 6) + 1;
	$die2 = int(rand() * 6) + 1;
	$roll = $die1 + $die2;
	$rollcount = $rollcount + 1;

	if ($roll == 7 || $roll == 11) {
		$bankroll = $bankroll + 5;
		# print "W $roll $bankroll $rollcount\n";
		if ($bankroll > $high) {
			$high = $bankroll;
			}
		}

	elsif ($roll == 2 || $roll == 3 || $roll == 12) {
		$bankroll = $bankroll - 5;
		# print "L $roll $bankroll $rollcount\n";
		}

	else {
		$setnum = $roll;
		$notcrapped = 1;
		while ($notcrapped == 1) {

			$die1 = int(rand() * 6) + 1;
			$die2 = int(rand() * 6) + 1;
			$roll = $die1 + $die2;
			$rollcount = $rollcount + 1;

			if ($roll == $setnum) {
				$bankroll = $bankroll + 35;
				# print "W $roll $bankroll $rollcount\n";
				if ($bankroll > $high) {
					$high = $bankroll;
					}
				$notcrapped = 0;
				}

			if ($roll == 7) {

				if ($setnum == 4 || $setnum == 10) {
					$bankroll = $bankroll - 20;
					}

				if ($setnum == 5 || $setnum == 9) {
					$bankroll = $bankroll - 25;
					}

				if ($setnum == 6 || $setnum == 8) {
					$bankroll = $bankroll - 30;
					}

				# print "L $roll $bankroll $rollcount\n";
				$notcrapped = 0;
				}
			}
		}	

# Game ends when you have less than $5
	if ($bankroll < 5) {
		$losses = $losses + 1;
		$itson = 0;
		}

# It also ends if youmake $1000
	if ($bankroll >= 1000) {
		$wins = $wins + 1;
		$itson = 0;
		}

	}

if ($high > $biggest) {
	$biggest = $high;
	}

if ($rollcount > $mostrolls) {
	$mostrolls = $rollcount;
	}

$bigrollcount = $bigrollcount + $rollcount;
$bighigh = $bighigh + $high;

}

print "$iterations Iterations \n";
print "Ave Rollcounts: " . sprintf("%.3f", $bigrollcount/$iterations) . "\n";
print "Ave Rollcounts Hours: " . sprintf("%.3f", int($bigrollcount/$iterations)/180) . "\n";
print "Most Rollcounts: $mostrolls\n";
# Most Rollcounts Days assumes 3 rolls/minute.
print "Most Rollcounts Days: " . sprintf("%.3f", ($mostrolls/180)/24) ."\n";
print "Ave Most Won: " . ($bighigh/$iterations) . "\n";
print "Biggest Win: $biggest\n";
print "$wins Wins | $losses Losses";