Re: We need a court action
I can't remember all the list, but there are some basic rules that all users can check when they sign up to a new website. Perhaps this could be set as the "minimum level of protection"?
* Passwords should not be accepted if they are the common 'words' used for passwords, i.e. password, secret, 1234, etc.
* Passwords should require a mixture of upper / lower case, numbers and 'special' characters (I am not sure how much this helps)
* Passwords should be a minimum length
* Passwords that have been used before should be rejected (a time limit or quantity)
* A forgotten password link should not be able to send your password - it must be encrypted in the websites database and so be unrecoverable. The recovery process should require the user to enter a new password before gaining access.
* After a small number of failed attempts, login should be disabled for a time
I'm sure there are other simple rules. Anyone can check for these rules when they sign up. There should be a way of reporting sites that fail these checks.
This would not have protected GWR though.