
Analysis of 32 million breached passwords - wglb
http://www.net-security.org/secworld.php?id=8742
======
roundsquare
_Employees using the same passwords on Facebook that they use in the workplace
bring the possibility of compromising enterprise systems with insecure
passwords_

I think we're approaching this the wrong way. Expecting people to have a large
number of passwords is unrealistic, especially if they have accounts they
don't log into frequently (e.g. bank accounts).

I'm not sure what the right solution is, but constantly telling users to have
different passwords isn't going to work. We need another way to identify
people online.

~~~
RyanMcGreal
I try to encourage people to have _at a minimum_ a strong password for
applications that need security (like online banking) and a second throwaway
password for garden variety site registration.

------
gkoberger
While I am sure many people have weak passwords, I am not convinced that the
RockYou passwords are exactly a microcosm of the current state of password
strength.

RockYou always seemed somewhat scammy, so I would say it's possible many
people merely used generic passwords out of fear of RockYou someday exploiting
them.

------
ShabbyDoo
I'm bored with the brute force attack prevention argument. Why not just help
your users out by throttling requests after N attempts?

With throttling, "strong" password requirements (non-alpha, etc.) serve only
to force users not to pick passwords obvious to someone who might know them
(wife's name, etc.). That and avoiding the "letmein" cases, I guess.

~~~
euroclydon
Why not just lock out a user after n failed login attempts?

~~~
DougBTX
It makes it easy for someone to launch a denial-of-login attack, just set a
script to log in with n random passwords, then the user won't be able to log
in. With a rate limit, once the attack is over or blocked, the user can log
in. With a ban after n, they would have to manually reset their password after
each attack, which could be set to happen eg once an hour.

Not that I've ever knowingly heard of someone getting attacked in such a way.

~~~
thechangelog
A recent NY Times article[1] talked about just this. On auction sites like
ebay, competitors can lock that accounts of those they're bidding against in
order to win auctions.

1\. <http://www.nytimes.com/2010/01/21/technology/21password.html>

------
sp332
If you use Firefox to store your passwords, and would like to analyze how
often you reuse passwords, I encourage you to join the Test Pilot program [0].
The current study is looking at reuse of passwords. It doesn't collect your
passwords, just counts how many sites you use your top few passwords on. The
plugin lets you see all the data before sending it to Mozilla, so you can just
look at the analysis without sending it if you want. (but it would be very
helpful if you would send your data in.)

[0] <https://mozillalabs.com/testpilot/>

------
crosvenir
I think we also need to rethink password rules, especially restrictive ones:

\- Cannot use special characters \- Cannot use character, other than number
(may only use numbers) \- 5th character must be a ! \- 5th character cannot be
a !

This kind of crap makes me immediately not want to use a service / look for
another job.

------
gnurant
You still need to guess the login name.

