[cryptography] Password non-similarity?

Jeffrey Walton noloader at gmail.com
Sat Dec 31 21:56:11 EST 2011


On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> [snip]
>> Here's a heretical thought: require people to change their passwords --
>> and publish the old ones.  That might even be a good idea...
>
> I'm not sure if you were just being facetious here or if you were serious, but
> you know, I think you might just be onto something here...especially
> if we could do this and allow some degree of anonymity. Maybe if we
> could post the passwords, run them through a password cracker for
> T minutes to see if they could be cracked that way or allow people
> to comment on them.
"Google as a password cracker",
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/.
No need to waste local cycles (someone else previously posted a
similar link).

> It would give people an opportunity to teach
> how to create secure passwords and to critique weak ones by
> showing why they are weak.
I think this would be a bad idea. I imagine it would promote stemming
related attacks. If not completely anonymous and coupled with some
reconnaissance (IP => Company, find some users at company.com), it
could prove to be a very dangerous practice.

Besides, there's plenty of password lists floating around.
http://www.google.com/#q=password+list.

Jeff



More information about the cryptography mailing list