[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)
Bill Stewart
bill.stewart at pobox.com
Tue Nov 12 19:11:25 PST 2013
Do people actually use vowels in their passwords?
I thought they turned them into 0, 1, 3, 4, and other l33t characters
to satisfy "must have a number" rules.
Salted hashes are important, of course, but if you only need to crack
one user and not all of them, then a dictionary attack with a "Top
1000 Wimpy Passw0rds" list isn't going to have much trouble, and if
you need a list of "A Million Wimpy Passwords and 100,000 Normal
Variations" there's probably one out there, just in case there isn't
some user who used "abc123" or "123456" or "password".
At 08:17 AM 11/12/2013, Guido Witmond wrote:
>On 11/12/13 17:00, David Vorick wrote:
> > Which means the current password model is broken, as we all know it
> > has been for a while. Why isn't there a stronger effort to replace
> > it with something like a universal public key system?
>
>Plug: You mean, something like this:
> http://eccentric-authentication.org/
>Regards, Guido.
There's Bellovin and Merritt's EKE Encrypted Key Exchange from ~1993
https://en.wikipedia.org/wiki/Encrypted_key_exchange
for which the patents expired in 2011 and 2013.
More information about the cypherpunks
mailing list