Email password policy
Posted by Wolf Leonhardt on 26 April 2013 09:23 AM
It is our policy to have complex passwords. First the rules then a brief explanation on why this is necessary.
1 - Password cannot contain username or alias
2. Minimum password length 7
3. Number of numeric characters in password (0-9) 1
4. Number of non alpha-numeric characters in password ( ! @ # $ % ....) 1
5. Number of alpha characters in password (a-z)(A-Z) 1
6. Number of uppercase alpha characters in password (A-Z) 1
Ca1gary$ (although this meets the rules, it may still be considered weak)
So why is this necessary?
If your account is on a shared mail server, any compromise of your account effects everyone on the server and lessens the ability of the server to properly send and receive emails.
bill@some_domain_name.com has a password of "joshua". (his son's name so very easy to remember). Spammers come across bill's email address and launch an automated dictionary attack. They keep trying different passwords based on normal english words (common words & names can be readily downloaded on the internet in minutes).
So after a couple hundred attempts at logging into Bill's account, their program comes back with a success alert. They now have Bill's password. The same program immediately begins to send out spam emails to the internet at various rates (dozens, hundreds, thousands - depending on whether this spam project is a quick blast or a sustained long term project).
As the spam starts to hit the internet, it typically also hits spamtraps, which are specific email addresses set up to attract spam and then immediately block the mail server that sent it. This is a honey pot mode of operation. Once the mail server's IP address is blocked it typically will be added to various RBL lists- real time block lists.
Now that the server is on the real time block list, any of the other email users on the server will also be blocked from sending to various legitimate email addresses. So even though it was Bill's account that was compromised it now affects the reliability of the entire server.
Although it is easy for the various RBL people to add a server to the spammer list , it is not easy to be removed. Getting a legitimate mail server removed from a block list varies depending on the list. Some expire after 24 hours, some require a request, some do not even cooperate.
Our goal is to provide reliable email services, by staying secure, you are greatly assisting us in this.
Thank you for being our customer!
Chinook Webs Inc.