No matter how email users may complain, friendly reminders regarding email security protecting company information assets are part of the ongoing education process.  Email users quickly forget that the company owns the information within each email account. The email system is owned by the company, not the email user. This also implies that it’s up to each person to ensure that their email account is always secure. People lazily create passwords that are familiar and easy to hack.

Email administrators are the gate keepers to ensure email accounts are kept secure.  Sometimes this requires setting up secure procedures, which appear to be an inconvenience to the end user community. So forcing 8 character passwords, instead 6 character passwords can make all the difference.  The inconvenience is minimal compared to thwarting password dictionary attacks or brute force attacks.

Raising the security wall also calls for insisting people use pass phrases, rather than passwords.  Choosing a simple password typically makes a dictionary attack easier for the account hacker.  People take the path of least resistance by selecting names of pets, kids, spouses, birthdays, house address or basically something that ends up being an extremely poor password choice.

The success of a dictionary attack is improving because hackers are smartly using large dictionaries and combining them with foreign language dictionaries. The addition of technical dictionaries increases the chance of hitting on the correct password.  Another way dictionary attacks are successful is variations in manipulating word strings within each dictionary.  For example, a hacker will spell dictionary words backward and forward.

Considerations to Minimize Brute Force Attacks

• Force people to enter a longer length password or phrase (8 to 10 characters)
• Allowing the pass phrase to contain characters other than numbers, such as *,  # or $
• Lock the account after 5 failed login attempts

A brute force attack will always succeed, eventually. The deciding factor with brute force attacks will be systems with sufficiently longer pass phrase combinations, which could require years to complete.