Increase the noise ?
Maybe there should be more dumps of bogus usernames and passwords. Slow the scammers down a little.
Security consultant Mark Burnett has dumped 10 million username and passwords onto the world, in what he claims is an effort to improve research. The huge pile, collected from caches revealed after years of breaches, was scrubbed clean of corporate information and domain data before its release. Burnett said he went to " …
This post has been deleted by its author
re: "Correct horse battery staple"
I would be surprised if this specific password isn't in password cracking dictionary's, so yes if you were to use this specific password then you have been warned. However, if you understand the concepts this memorable shorthand convey's and apply these, it is highly unlikely that your passwords will be vulnerable to a phrased dictionary attack.
But then as the sources of these leaked passwords attest to, the problem isn't so much due to users having weak passwords, but website owners not properly protecting the login and password details of their registered users...
@Roland6 - I'm always surprised it never seems to show up in the lists of commonly used passwords. Obviously you'd have to be an idiot to actually use that specific phrase since it's so well known. It's rather sad how few people actually seem to understand what that xkcd actually explained though, and just shout "Words! Dictionary!" and think they've somehow made a valid counter-argument. If you use an unknown number of words of unknown length to form a password of unknown length, a dictionary attack is simply impossible; when you have to check all words from one character length upwards, you're just doing regular brute force guessing.
It's similar to the silliness of insisting on using upper case, numbers and punctuation. Sure, increasing the number of possible characters increases the number of possible permutations, but so does making your password a few characters longer. A password that forces you to use at least one capital letter and number but restricts you to a maximum of 8 characters, as many websites do, is far less strong than one made entirely of lower case letters that is allowed to be 20 or 30 characters long or more. Yet the latter will almost always be classed as weak by sites that claim to check the strength of a password when you're choosing it.
@Symon - yes, I didn't say not to use a password safe, I was simply criticising their repetition of the myth that random gibberish is the only good password. The problem of remembering large numbers of different passwords is a separate matter, and is always going to be a problem no matter how memorable each password might be individually. I may be able to remember the lyrics to at least 50 songs, but if I use an entire song as a password for 50 different sites there's no way I'd be able to remember which song goes with which site. Passwords safes are useful no matter how you generate your passwords.
This post has been deleted by its author
@Cuddles - sorry, but the only secure password *is* an unrememberable random string of multi-character gibberish. Minimum of 18 characters, with the sort of cheap firepower available from Amazon etc. these days.
The lifehacker article is more-or-less there except they use dropbox to store their password file which strikes me as definitely risky.
After reading the article a second time, I'm still at a loss trying to figure out specifically how did he acquire that cache of passwords - "being freely available on the internet" is more than a bit vague. Exactly how does one go about collecting thousands of passwords a day...? Because I sure can't remember the last time I saw a forum post with "oh and by the way, my login is xxxxx and my password is yyyyy..."
>I'm still at a loss trying to figure out specifically how did he acquire that cache of passwords
Second paragraph:
The huge pile, collected from caches revealed after years of breaches, was scrubbed clean of corporate information and domain data before its release.
Fourth paragraph:
"These are old passwords that have already been released to the public; none of these passwords are new leaks," Burnett (@m8urnett) wrote in a post addressing some received criticism.
It seems that he has merely collated usernames and passwords from past breaches that others have published on the internet.
On the edge? That's WAY over the slippery slope, and sliding downhill with no recovery possible. Enjoy your crash & burn, Mark Burnett. You'll never work the security field again.
(Hint: Never make life easier for skiddies. It'll bite you in the long run.)
I train my users to create 12+ character passwords based on easy to recall sentences, often movie quotes. Use first one or two characters of each word, capital at the start, add punctuation at the end. The user does not have to remember the actual password, but types it in as they run through the sentence. It lets low-skilled users reliably use passwords like Tharthedryolofo! Find THAT in a dictionary!
Tharthedryoulofo! comes from THese ARen't THe DRoids YOu're LOoking FOr
or Drandikewe13 - DRunk ANd DIsorderly KEy WEst 13 (for 2013)
Yes, good passwords CAN be easy to create and recall, IF you use a good system. This one's working a charm for our users, but I'm sure there are others. Anyone?