

Why Do We Let Users Create Passwords at All? - bluedevil2k
http://drive.cabforward.com/blog/bid/206586/Web-App-Security-Why-Let-Users-Create-Passwords-At-All

======
Sami_Lehtinen
My funny G+ post from yesterday: I told my colleagues that we receive at least
5000 "hack attempts" aka failed logins daily to any of our public Internet
facing servers. One of my colleagues just said to me: "Well, you're having
such a ____password policy, that maybe those are actually failed login
attempts and not hack attempts at all." - It really got me laughing, yes,
passwords, especially long complex and random ones are painful for users.
Here's password of the day (opening and closing quotes aren't included in the
password):"^j'lb#K-€3, <_úgWJdXå(n_6=41Bµ%cj!" Btw. Good luck guessing the
password or finding it out using SHA-1 hashs or so. I know it's possible, it
just might take a while. ;) p.s. This password still got less than 256 bits of
entropy.

I prefer to think "password" as a shared secret, instead off a password. I
hate it when people even say password. It's random set of shared secret bits,
only a blob of data. Got it?

[https://plus.google.com/u/0/106938703242944328523/posts/8r2K...](https://plus.google.com/u/0/106938703242944328523/posts/8r2KkczgvAy)

