Do people actually use vowels in their passwords? I thought they turned them into 0, 1, 3, 4, and other l33t characters to satisfy "must have a number" rules. Salted hashes are important, of course, but if you only need to crack one user and not all of them, then a dictionary attack with a "Top 1000 Wimpy Passw0rds" list isn't going to have much trouble, and if you need a list of "A Million Wimpy Passwords and 100,000 Normal Variations" there's probably one out there, just in case there isn't some user who used "abc123" or "123456" or "password". At 08:17 AM 11/12/2013, Guido Witmond wrote:
On 11/12/13 17:00, David Vorick wrote:
Which means the current password model is broken, as we all know it has been for a while. Why isn't there a stronger effort to replace it with something like a universal public key system?
Plug: You mean, something like this: http://eccentric-authentication.org/ Regards, Guido.
There's Bellovin and Merritt's EKE Encrypted Key Exchange from ~1993 https://en.wikipedia.org/wiki/Encrypted_key_exchange for which the patents expired in 2011 and 2013.