[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)

Bill Stewart bill.stewart at pobox.com
Tue Nov 12 19:11:25 PST 2013

Do people actually use vowels in their passwords?
I thought they turned them into 0, 1, 3, 4, and other l33t characters 
to satisfy "must have a number" rules.

Salted hashes are important, of course, but if you only need to crack 
one user and not all of them, then a dictionary attack with a "Top 
1000 Wimpy Passw0rds" list isn't going to have much trouble, and if 
you need a list of "A Million Wimpy Passwords and 100,000 Normal 
Variations" there's probably one out there, just in case there isn't 
some user who used "abc123" or "123456" or "password".

At 08:17 AM 11/12/2013, Guido Witmond wrote:
>On 11/12/13 17:00, David Vorick wrote:
> > Which means the current password model is broken, as we all know it
> > has been for a while. Why isn't there a stronger effort to replace
> > it with something like a universal public key system?
>Plug: You mean, something like this:
>         http://eccentric-authentication.org/
>Regards, Guido.

There's Bellovin and Merritt's EKE Encrypted Key Exchange from ~1993
for which the patents expired in 2011 and 2013.

More information about the cypherpunks mailing list