There is a new trend in Internet crime: criminals breaking into web sites by guessing passwords, then installing cross-site scripting (XSS) exploits on the compromised web site’s pages. That in itself is nothing new, but the process has been automated somehow, so that apparently millions of web sites have been broken into in recent weeks. This forces a change in the way we handle web site passwords. It also calls for a change in web browsers.
It is more important than ever for a web site to have a strong password. The password of a web site should not be a single word or an obvious combination of two words. We can say now, it should also not be a combination of words that appear on the web site.
Just three years ago, we were encouraging people to form strong passwords by combining two unrelated words, as an improvement over single-word passwords. That strategy can still work, but it does not form a strong password if the words, or the combination of them, is obvious. A single word is too obvious because there are only a million words in common use on the Internet. A break-in program can try a million passwords in a blink of an eye. Yet if you think of an ordinary company or musician web site, it has fewer than 30,000 distinct words. These words form fewer than a million pairs of words, so the combination is still too obvious to use as a password.
So many web site passwords have been compromised that some web hosts have gone to the trouble of resetting all passwords. In truth, it would be hard to find out if someone had broken into your site. You would find out only if someone happened to notice the small and sometimes temporary changes in the web code, changes that would not be visible in the web pages themselves. And so the old suggestion of changing passwords periodically still applies — even for web sites on which the pages themselves barely change from year to year.