A recent attack on the popular microblogging site Twitter has produced a great deal of buzz around the social mediasphere and the developer community because of the nature of the attacks. Apparently the attack was a pretty basic dictionary attack against the front door of the Twitter site.

Jeff Atwood reports on his blog how the attack was carried out and how you, as a developer, can defend against dictionary attacks.

He provides a lot of information to assist you in protecting your data, or, as is often the case, your users data. One of the things that Jeff mentions is throttling failed login attempts against a wait time to deter the basic repetitive failed login attempt. He also mentions requiring a capcha/recapcha after a certain number of failures to make sure you are dealing with a human as opposed to a bot.

Google employs this principle. I have actually tested this (actually, I have had to use this as I forgot a Google password once). This is perhaps the cleanest validating type of login failure handler as it allows the user to make mistakes without penalizing them for not remembering. Believe it or not, there are some people that forget their passwords and choose to actually try to remember it instead of resetting it. I know, it seems archaic, but it does happen.

Another way to makes things better for your users is to not only allow a mix of numbers, letters – both upper and lower case, and special characters but to actually requre a mix of those types of characters. It may seem inconvenient at the time, it will always be less convenient than a security breach because of a password like “happiness”.

Regardless of what you choose to emply in terms of front door security I would suggest you read Jeff’s article. It has plenty of useful information about security and protecting against dictionary attacks.