Recently I read this interesting cartoon from XKCD. The comic is about the nature of peoples choose their password. In short, it is easier to guess short password (although you put various unique character) using brute force method, where it will try to guess password by entering keyboard characters one-by-one. Unfortunately, by the time the comic is written, the assumption of guesses is around 1000 guess/second, meanwhile current processor is already far above that. For example, a Core 2 Duo processor able to do 32 millions guesses per second. This without utilizing graphic card computing power(GPGPU method). A software claims that current processor combined with certain graphic card able to increase guess rate up to 2 billions guess per second!. @_@
So let's move to the other side of security, that is how the systems handle password, in this context, Drupal. One of the reason why I like Drupal is its attention towards security. Drupal already equipped with a mechanism called Flood Control to control how many times a user (or cracker) allowed to enter wrong password. At certain numbers, the user IP will be blocked until certain periods of time. More conveniently, for Drupal 7 there is a modul called Flood Control to control those variables mentioned previously. We can also control not only based on user IP address but also user ID. For those who still prefer Drupal 6, Login Security come in handy. These features would give significant delay on cracking effort, let's say that 2 billions guesses is possible but if after 3 wrong login attempt and the IP will be blocked, then those super speed calculation would be useless. Therefore these delays will be a quite significant factor to disrupt password cracking.