Twitter’s back-end system allowed an unlimited number of attempts and also allowed such a weak password, so Twitter’s development team is partially to blame.

A share of the blame should also go to Twitter’s web analysts. Much like you should set up some type of custom reporting based on server error messages (404′s and 500′s), setting up an alert system and analytics on administrative systems, particularly when it comes to access to those systems, should be a priority for the launch of any site.

However, the majority of the blame should be paced at the feet of the administrator.  Whoever did this is not alone.  A number of years ago I was involved in a site security audit where we essentially ran the following SQL statement (it wasn’t this simple, but you get the idea):

select password, count(password)
from users
group by password
order by count(password) DESC

The results of this on the site (and, I imagine every site) were shocking.  The top positions were held down by passwords such as “password”, “12345″, and the names of cartoon characters.

Factoring in proper nouns, capitalization differences, and prefixes and suffixes, there are only a couple of hundred million passwords that are based on the English language. If the hackers were able to brute-force attack the form at the rate of 10 tries per second, they could exhaust every iteration of every word in English in a month.

If you look at using random letters, numbers, and symbols in a password, the possibilities balloon. A six-character password of this type has over 200 BILLION combinations. At the same rate, it would take a brute-force attack over TEN YEARS to exhaust the possibilities. An eight-character password would take over fifty thousand years! So you can see the power of strong passwords.

To avoid a screw-up of such magnitude with your personal and professional applications, try the following two sites to generate strong passwords (and avoid ones that are actual words):

Automated Password Generator Online: This allows you to set criteria for your potential passwords such as length and character set.

GRC’s Ultra High Security Password Generator: This site generates three types of truly random strings with each page refresh. It also goes into the math of 512-bit encryption.

Good luck and stay safe!