[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Sat Dec 31 21:05:28 EST 2011


On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
[snip]
> Here's a heretical thought: require people to change their passwords --
> and publish the old ones.  That might even be a good idea...

I'm not sure if you were just being facetious here or if you were serious, but
you know, I think you might just be onto something here...especially
if we could do this and allow some degree of anonymity. Maybe if we
could post the passwords, run them through a password cracker for
T minutes to see if they could be cracked that way or allow people
to comment on them. It would give people an opportunity to teach
how to create secure passwords and to critique weak ones by
showing why they are weak.

If this were something that was voluntary as well as anonymous,
I think it has a chance for the greater good. Without anonymity,
we would at definitely would have to only make it voluntary, or
at least grant an amnesty period where people could opt out.
Otherwise, you'd end up with a lot of lawsuits and likely fired
employees.

But I think you may be onto something here.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list