It is alarming to hear that @parliament.uk email accounts were victim to a brute force attack. I understand some 90 accounts have been compromised. These accounts had weak passwords, evidently.
- The digital team should not have allowed ‘weak’ passwords. Yes, we all get annoyed at being forced to pick passwords that are more than 8 characters, have a number and a special character, but there’s a good reason for it.
- If an incorrect password is entered more than 5 times the account should have been locked, thus stopping a brute force attack in its tracks.
- Let’s not immediately rush to blame the digital team. Proper investigation, etc. But it does seem that two-factor authentication needs to be enforced at all levels from now on.
As annoying as that might be, it’s a lot less annoying than being locked out all weekend and potentially having all of your emails fall into the hands of hackers.
Updates: Two factor authentication is now required.