Hacker News new | past | comments | ask | show | jobs | submit login
Want to Block Common Passwords? Sorry, That is Patented (xato.net)
194 points by gnosis on Apr 13, 2013 | hide | past | web | favorite | 97 comments

We really need to start naming and shaming the people willing to have their names listed on frivolous patents like this, and not just their employers. If you're listed as an inventor on an unethical patent, you have violated the implicit moral code of technologists and positioned yourself in opposition to progress.

Michael Stephen Brown and Herbert Anthony Little: you are not good people.

We really need to start naming and shaming the people willing to have their names listed on frivolous patents like this, and not just their employers. If you're listed as an inventor on an unethical patent, you have violated the implicit moral code of technologists and positioned yourself in opposition to progress.


Paul's patent would seem frivolous now, but it wasn't then. By applying for a patent, did he position himself in opposition to progress? Seems doubtful.

Here's another example: http://www.google.com/patents/US5204966 This patent was filed in 1990. I was two years old. The internet hardly existed then. Was this patent frivolous? Should these inventors be punished according to your ethics?

So what's our criteria for a frivolous patent? Perhaps "(a) it was filed since 2010, and (b) it covers some well-known technique." Yet that's completely arbitrary. Punishing someone for violating an arbitrary moral code is a recipe for evil.

It's a software patent, therefore it's frivolous.

"The basic algorithmic ideas that people are now rushing to patent are so fundamental, the result threatens to be like what would happen if we allowed authors to have patents on individual words and concepts."

- God himself, http://progfree.org/Patents/knuth-to-pto.txt

That's not very good reasoning.

If all software patents are bunk, so are many electrical engineering patents.

If software is built on hardware, anything I represent in software can be 1:1 related to the digital circuit equivalent. It may be silly or infeasible to do so - but I could make an ASIC or FPGA that runs my latest piece of code. Maybe those wouldn't count because they're too close to the way we think of software. Okay - I lay out my PCB with just 4011s NAND gates. Is this sufficiently far from software to get me a patent for my ideas?

I think software should move towards a trade secret model and abolish software specific patents entirely. Unless you can demand to see the source code, you can never prove whether or not I used your algorithm.

That - or, software developers need to make one gigantic document of every single idea they have implemented and used. If everyone has 5 ideas a day that they implemented and wrote down, we'd hit some sticky situations where a new problem is found. And, much like the patent system, if we put it online where anyone could potentially see it, we can say that it was prior art for any future patent.

Then - as they don't have to be good ideas necessarily, we run through and make all permutations of every single word on the page, leading to every possible idea that can be thought of in that context. Prior art for everything. Or just get Pi out and start translating it to English.

If all software patents are bunk, so are many electrical engineering patents.

And yet few people realize that. The USPTO continues to issue software-equivalent patents as well as software patents, and the courts uphold their validity, all while claiming that "real" math is not patentable, but offering no clear theoretical framework for distinguishing the two.

ASICs could be argued to be physical implementations and therefore patentable. On the other hand, when converting a software algorithm to an ASIC design involves no additional creative effort, how can the ASIC be patented?

We used to argue that inventions should be patentable, but abstract ideas around inventions are not deserving of patents. If I was interested in your supposed ASIC design, and in a position to be awarded a patent, I would argue that by taking the algorithm and realizing it into a chip fab (or by doing the requisite homework to bring it to a chip fab, if I didn't have the requisite billion dollars to actually market the chips) I had done sufficient work to be worthy of a patent.

As a good person (who doesn't want his patent thrown out when it goes to court), I would not try to submit an incomplete design and I would make sure that my filing included all of the necessary information to put the design into future generations' hands. (But not the billion dollars, of course!) Who's to say it involves no additional creative effort? I remember Computer Organization and Architecture classes as a Computer Scientist that were meant to teach me the left hand of the equation while making me aware of the tetris game that exists on the right hand side, but not bogging us down (since we were computer scientists and not electrical engineers.)

So out of self interest, maybe I should wish to be able to patent the algorithms. I know and I was raised better than that. Our pyramid schemes start and end with our brothers (and sisters) who majored in electrical engineering! Software is meant to be free, and hardware has innate marginal cost as a necessity of physics.

Remember it can be up to the patent examiner in an abstract sense with no rhyme or reason on whether or not to grant a patent, and many of the folks I hear would rather see "boots on the ground." In other words, without the billion dollars to put the fab into works: no patent for us, so no victory.

That's not very good reasoning.

If all software patents are bunk, so are many electrical engineering patents.

I hope that the second sentence is not supposed to be a substantiation for the first one. If anything, it's an example of why the system must be fixed.

Is this sufficiently far from software to get me a patent for my ideas?

It shouldn't give you that right in the first place. Patents were meant for engineering inventions, not for mathematical discoveries. Encoding a mathematical discovery in an engineered form does not change its substantial nature.

Thing is that using common sense will reveal that this patent is restrictive in a bad way since it helps potential attackers to get into system. No matter if it's year 1980 or 2000. When Volvo invited three-point seat belt it was shared with other manufacturers because they were well aware the obvious benefit to all. Same goes eg. with blocking simple passwords.

This brings up the problem of patent terms. At least in software, the ordinary term of a patent is obviously much too long. Even granting a ten-year monopoly would be onerous in this business; twenty is absurd - the technological landscape can change completely in that time.

Devil's advocate: by allowing software patents, that might tend to force technological change. You need to invent a new landscape if the current landscape is illegal or onerous to operate in.

For the record, software patents annoy me and I don't think they should be allowed.

But the patents are so general in scope that they tend to preempt any technological change.

What benefit is there in inventing a better mousetrap if the very idea of causing inconvenience to vermin has been patented, and the only people beating a path to your door are verm^H^H^H^H patent lawyers.

20 years was long enough for Microsoft to rise and fall.

There are places of employment where having your name attached to a patent is only barely optional. They hire "patent experts" to go around and figure out what is supposedly patentable with little to no input from developers and then have the "inventors" who touched those bits sign off on it (thus having their name attached to the patent). And of course you don't have to agree to this, but not agreeing essentially comes in the form of quitting or at least creating a schism that didn't exist between you and your manager and/or team.

While there exists a group of developers whose geographical situation and years of experience allow them to easily quit over such matters, there are plenty who aren't so lucky.

So while I am very much against software patents, I only support "naming and shaming" when it comes to those who are initiating, publically supporting or otherwise directly involved on the offensive side of patent lawsuits.

Even if the inventor refuses to sign the declaration, if they have an obligation to assign and are truly an inventor, their name will appear on the face of the patent. There are procedures at the patent office for proceeding with getting a patent even when an inventor refuses to sign.

But if the original inventor refuses to sign off, they will find someone else to 'invent' it.

I've been in that position. I even argued that the patent application was invalid due to prior art. The patent people consulted with other developers and just presented me with the paper work to sign. I signed it. It was that or be labeled as uncooperative. This was a company of 60 people, not some mega-corp.

Wow that's the worst situation I've heard of wrt to patent writing, but there are other, more seemingly innocuous ones too.

For instance, many places have departmental quotas on patents filed, and often have patents as a parameter in their quarterly/annual performance criteria.

Some companies have a culture of patenting. You want to stay hired - you patent everything you can, to reach the targets.

A friend worked for a company that did code maintenance (support/bug fixing) for some embedded IBM systems. They were bought by IBM, and in the first meeting their new IBM boss said to them "I checked the company records and I see no patents. This needs to be changed." What kind of patents can you get while fixing bugs in some C code written by somebody else?

And if you choose to work for one of those companies with a culture of patenting, you deserve the shame. If you run a company and you want to go patent crazy, you should be starved of engineering talent.

You do have a choice of where you work. "i just want to keep my job" is not a valid excuse for anything.

>You do have a choice of where you work. "i just want to keep my job" is not a valid excuse for anything.

I'm not sure how valid this is. It might be true in most of the United States, but if you work for $GIANT_JAPANESE_AUTO_COMPANY which produces the second largest number of patents/year in the world after IBM (iirc), you have very few employment options other than said company geographically, and the corporate culture there makes it extremely difficult to change jobs at all.

How old are you? Your attitude of absolute, rigid moral certainty suggests you don't have much experience with the real world.

You do have a choice of where you work

Only if you don't care too much about where you work or what your work on. If you're happy to work on any old Rails app anywhere in the US, sure you have plenty of choice. If you want to work on cutting edge quantum computing close to New York, not so much.

I think this is hard strategy to convince the world to follow. It involves causing culture shift in existing business and the culture momentum in this case is not insignificant.

The next problem is that the business exist in a legal system that rewards patenting profusely and broadly. A company that refuses to do this is at a disadvantage.

In addition to avoiding companies that participate in such behavior what other strategies to you think are worth while?

Google is the biggest advocate for change in the direction of devaluing software patents or at least they are easy to observe doing such.

>What kind of patents can you get while fixing bugs in some C code written by somebody else? //

Ones related to bug fixing? Ones concerning optimisation of code to enable lower memory use or lower power consumption or more compressed data formats or ...?

Some companies, the big players in electronics and computing for example, use patents not only to enforce the limited monopolies but also as bargaining chips enabling them to buy in to patent pools and such - like you can use these 500 patents if we can use your 500. I'm sure with some such deals some "packing" is needed to bolster the numbers and let you play above your station.

Your employer will have its internal lawyers call you to explain to you that your employment contract says that you have to assign them the patent, and that they're giving you $1,000 honorarium for this, and if you do not accept this then they will file your name anyway as "assignment by an uncooperative inventor." Not sure if you can blame someone for caving. Who wants to be called an "uncooperative inventor" by their employer?

There is no implicit moral code of technologists.

(unrelated to the topic of OP)

Which is too bad. Doctors do, but technologists arguably have a larger effect on the lives of all people.

Doctors have an explicit moral code.

You know what, maybe we could put them all on a list. We can name that list after a color. We will all promise not to hire anyone on the list unless they are willing to tell us more names to add to our list. Who cares if we hurt some innocent people along the way or destroy someone's career for an act they committed 20 years ago? At least we will be able to weed out any people with politics we disagree with.

In reality, neither the employees nor the employers deserve the blame. It is misguided laws that allow and even encourage this type of behavior. As the old saying goes, don't hate the player hate the game.

I agree with this. I might get some flack, but.....if you don't file the patent then someone else likely will. Morality points are great and all, but at the end of the day you're going to lose out to the company which "beat" you to it and will now attempt to collect royalties on you.

In a perfect world, no one would file software patents. Unfortunately, we don't live in a perfect world. Pretending like we do will simply burn you later.

So no, I'm not in favor of software patents but I think it's ignorant to act like ignoring them solves the problem.

> I might get some flack, but.....if you don't file the patent then someone else likely will.

If you don't file the patent and someone else tries to you can challenge it with your documented prior art.

Now that we are in a first to file system, will that actually invalidate it?

As long as you've documented or used the invention in public prior to the filing, I believe yes. IANAL, though.

If you're trying to keep it as a trade secret you might have trouble then.

Yes. Prior art was actually expanded with the new Act.

That's not the right approach, because usually an employee has an obligation to assign the invention to their employer. Frequently it's not really up to the inventor whether or not a patent gets filed on a particular idea.

Maybe they patented this only because no other potentially evil could patent?

There are a couple of solutions (neither are "good" if you're worried about being sued to oblivion ) :

1) Don't publicize how you reject passwords (this, obviously, won't work for open source). You can reject with a generic "please choose a different one" or something similar. Just vague enough to not directly show that you're reading off a list of bad passwords.

2) Ignore the patent.

I'm a fan of 2, but fighting a troll alone is most definitely not an option. If I do get sued, perhaps I can contact all other people who were also sued (since trolls tend to fire shotgun lawsuits to see which ones buckle) and fight back together to try and get the patent invalidated.

Meanwhile, I can write to congress (have all the others do the same) and wait for it to have no effect whatsoever since, obviously, we all know that what really kills American jobs is those damn immigrants /sarcasm.

Attempting to avoid infringing software patents like this is an absolute waste of time. There are vast amounts of terrible patents covering everything you do, and even if you don't technically infringe the mere allegation that you do by a patent troll is enough of a threat to make settlement more profitable. That's why it's been compared to extortion.

Yea it's a pretty ridiculous state we're in. Fortunately this patent was probably filed defensively by RIM, but the moment they decide in the next 20 years that a branch could be more profitable by firing their employees and siphoning some intellectual property into a litigious happy NPE, then any group rejecting user passwords that look like p@ssword will be in violation until the year 2031

This would be the company that was once known tongue-in-cheek as "Lawsuits In Motion".

It's not just going over a blacklist though. If you do any form of checking/rejecting a password, you're probably infringing something. And it's not just the checking, the article also mentions "recovery of forgotten passwords, secure password resets, using one-time passwords, account lockout, generating pronounceable passwords, password hints, and even backdoor passwords".

> generating pronounceable passwords

Prior art!

That program was written by thvv in 1994[1], based on much earlier work[2].

[1] http://manpages.ubuntu.com/manpages/quantal/en/man1/gpw.1.ht...

[2] http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA017676

What if you didn't reject the passwords outright, but simply warned the user. I wonder if that would be considered a violation? Also the patent "Specifying a set of forbidden passwords" includes: "generating at least one symbolically equivalent password". What if you didn't generate a symbolically equivalent password (but just did a direct lookup?)

Willful infringement triples any judgement against you. Just a note for those who didn't know.

Patents: Meant to encourage innovation, and now destroying it. Is there anything lawyers touch these days that doesn't get irrevocably corrupted? Law was supposed to protect rights and clarify correct behavior, not become a profit center for parasites.

It was always like this. The main way to become wealthy in ancient times was through lawsuits. As soon as well meaning intentions are put into legal words, they can be subverted.

This has been posted here before, and I exchanged a couple of messages in the comments section with the author to clarify some misconceptions. If you read the claims (as everyone always should but nobody ever does), most of the patents he mentions are actually pretty "decent", some of which are discussed in the comments.

Are any of those patents not algorithm, hence math, patents? Or, is your argument that certain types of math patents are "decent" and should be allowed? Because they're not (at least in theory), according to judicial precedent; in practice, courts seem to have difficulty knowing math when they see it.

Your views are rooted in one of the more common misconceptions about so-called software patents: None of them are algorithm patents, because you cannot patent algorithms. What is patented is the application of certain algorithms to solve a practical, real world problem. The algorithms involved are not covered, and can freely be used for other purposes.

In this case, that happens to be preventing poor passwords. That is a concrete, real-world problem, requiring practical solutions, which these patents purport to provide (probably) novel, non-obvious variations of. For example, one of the less "decent" patents uses (what seem to be) bloom filters to track and test for poor passwords. This does not mean all uses of bloom filters are covered by it. The claims specifically cover the method of using bloom filters to test for bad passwords.

Really, it becomes clear what is covered when you simply read the claims.

Mathematical equations representing (approximate) solutions to physics problems are patentable, then? Let's turn the clocks back to 1900 and figure out where we'd be technologically if every such "invention" had a 20-year period of exclusivity.

No, the application of those equations to practical problems is patentable. A physics problem is not necessarily practical (2 frictionless spheres in a vacuum are rolling towards each other...), but practical mechanical problems necessarily have a physical aspect and frequently rely on results of solving mathematical formulae. A patent on a mechanical solution may very well include the solution of such equations, and always have. Funny, doesn't look to me like the mechanical industry is stuck in the 1700s.

Edit: An early example of a mechanical "algorithm" patent - http://www.google.com/patents/US3765263

That patent is the sort of thing you're tasked with building in a mech-e class, or as an abstract problem in a physics class. If it's patentable, then one could say that the purpose of physics and engineering training is to build things, patent them, and live off of the royalties, rather than to create products people want to buy, competing in an open market.

The premise of your argument relies on the vague notion of what's a "practical" problem and what's not. I don't think that's any more tenable than any other defense of the current patent system I've ever seen. It's all vague, and exchanges like this are pushing me to a more extreme position that all patents are bogus, rather than granting that some "math" patents are connected to specific practical problems and thus patentable.

Would there be any obvious problems with defend-it-or-lose-it laws around patents, like there already are around trademarks? Seems like it would kill the submarine-patent market entirely, and would discourage companies from bothering to file for patents they didn't plan on vigorously defending (I could imagine drug companies continuing to file; software companies, not so much).

I don't tend to hear this suggested in patent-reform discussions, though, so I assume there's a reason not to go this route.

Unless I'm mistaken, it certainly wouldn't stop patent trolls, who buy/keep patents precisely so they can use them. The only thing it would stop is companies holding patents for defensive reasons, who have no intention of actively pursuing patent violators but who patent their ideas in-case they are sued by a patent troll with a similar idea/patent. Google claims to follow this in terms of open source projects[1].


Patent trolls buy them and keep them to use them eventually, but will wait a long time before doing so so that lots of members of industry will have infringed before starting to sue. In trademark law, you can't do that: if you're lax and let your mark become generic, it's basically impossible to go back and go after infringers after the fact (this happened to "nylon," for example).

There would still certainly be patent trolls, but as a start-up, you wouldn't have to worry as much about them... if you wanted to implement a feature that other companies were also implementing, you could do so with a reasonable amount of safety: either they weren't patented, or they were and there would be noisy lawsuits going on about them, or the patents existed but were no longer valid due to lack of defense.

But "defend it or lose it" means going after all infringers, which patent trolls certainly don't do. They are currently very selective about enforcing their patents, choosing to assert where they will win.

I'm not sure it's completely practical, but this would have some interesting interactions with obviousness -- if you need to sue half the industry, it may say something about the obviousness of the patent itself.

Hindsight is 20/20. Everything is obvious, once someone already paves the way to the solution.

This is why, in principle, there is the "prior art" clause. It's just not enforced well enough in the software realm--but the mechanism to prevent patenting something widely known a posteriori does technically exist.

Well the non-obvious requirement of patents to be granted in the first place is defined such that experts in the field would not come up with it in response to the problem it solves. This is not the case with most software patents.

There's a patent our there for just about any conceivable thing in computing. I'm pretty sure commenting on HN articles is patented and we're in violation right now. It's so ridiculous. No can ever really do anything with most of them (except maybe troll companies with deep pockets or if you're building a phone). I remember that 5 years ago when building a company people would still ask whether you had patents. I don't think they still do, but those are just my impressions.

Oh they do. But now that's by the typically less sophisticated investors, in my experience anyway.

Like Google? http://www.behav.io/ (recent IP/engineer acquisition).

"Nadav holds multiple patents in areas of social mobile networking, machine learning, network algorithms, and sensor technologies. His work has been featured in both academic and popular press (Technology Review, Businessweek.com, Wall Street Journal, Wired UK, and The Associated Press, among others), and received awards of recognition (including Best and Distinguished Paper awards, Knight News Challenge, SXSW Accelerator, IPSN Extreme Sensing Competition, and three Google Research Awards)."

But at least these seem to be patents that did require some effort, were novelties at the time and appear to be useful – otherwise that list of awards would be a list of awards you don’t want to receive.

There is nothing wrong with patenting truly new, truly sensible solutions to actual problems, in my opinion. The problematic patents are the trivial ones that currently swamp the software industry.

That's one of the issues though. Which patents are the "truly new" ones and which are the "trivial ones"? It seems like many software patents seem obvious in hindsight, a few years down the road, but they were not obvious at the time of invention.

This is of course true, although there are really some rather trivial ones even at the time of invention (or already outdated at the time of filing).

Maybe it would be helpful to adapt the protection period (20 years, IIRC) to the rate of innovation in the industry?

I'm not commenting on the relative value of the patents, just the idea that investors don't care. Google does quite a few IP acquisitions.

Google's actions in this area speak for themselves. Even in the few instances where they have been involved in patent infringement cases on the "offensive" side, the suits have been quite obviously defensive in nature (eg. the suit vs British Telecom).

The nature of reality as it applies to patent law is why I don't fault companies for acquiring lots of patents, but do fault them when they use those patents offensively. Google remains among the very few large tech companies I respect when it comes to patent actions.

The fact that they're not on the offense is not really meaningful. Most of the value of property and contractual rights is prospective. I bet Google has never sued someone for planting a farm on their campus lawn--that doesn't mean they're indifferent to the existence of that property right.

Google acquires a lot of companies for their IP. Not so they can sue people for infringing on it, but so they can use it. The property rights create a legal structure that allows those kinds of transactions to happen. Like with any other property right, that's the value of a patent--giving people a "thing" in which they can transact, which they can book as an asset, etc. Ideally, a lawsuit only happens when things go sideways.

How about "keeping bad things from happening"? That's only one level of abstraction up from that. Could be lucrative.

How about a "Facility for preventing disasters."[1]


The "passwd" program on page 282 of the first edition of Wall & Schwartz "Programming Perl", copyright 1990, would appear to constitute prior art to most of these claims.

Large companies patent everything that they use that doesn't have a patent already. Better to have a patent for entry of text in to a form using a keyboard than to pay a troll later.

But it is also mutually ensured destruction for fights between big companies. You can't sue me for a billion dollars because you are infringing on 2 patents for every on of yours I am infringing. Apple vs Samsung was an example of this.

Here's an example going back to the 80's when IBM shook down Sun[1]:

>> Finally, the chief suit responded. "OK," he said, "maybe you don't infringe these seven patents. But we have 10,000 U.S. patents. Do you really want us to go back to Armonk and find seven patents you do infringe? Or do you want to make this easy and just pay us $20 million?"

[1] http://www.forbes.com/asap/2002/0624/044.html

This is how the lawyers at my large company described it as well, mutually ensured destruction. If you're a big company, you're essentially forced to play the patent game.

Is there a common repository of patent troll claims? It would be nice to have a list of things to avoid, with workarounds where possible.

I'd stay away from looking up things you might infringe. You will be liable for treble damages and most of the trivial things are probably patented by somebody (http://en.wikipedia.org/wiki/Treble_damages).

That's a terrible law. It would be useful to look up patent issues not with the goal of willful infringement, but with the goal of avoiding infringement.

There's an old quip about a former president of the American Trial Lawyers Association (now called the American Association of Justice). When it was said that they practically own congress, he joked that he took offense to the word "practically". Even though that's an old story, said in jest, I don't hold out a lot of hope that a group primarily made up of lawyers will clean up a system that benefits their own profession.

This feels counter-intuitive to me. I understand why patents are tainted by these, but how am I supposed to know if I'm not infringing if I don't research the idea before shipping out? Shouldn't there be a way to make sure at least it's sufficiently different to make sure I'm not repeating something?

How you are supposed to know if you are not infringing? It's simple. Do you do anything? If yes, you are infringing.

Your lawyer or a consultant does a technology audit. I used to do these on behalf of VCS on young startups to ensure they had not infringed on a patent that would put the investment at risk.

Fascinating! Any comments on how difficult/easy you found it to do a thorough search, and how often you found patents that you thought to be risks?

At the time it was hard. There wasn't Google Patent search which is really useful for checking these things.

Basically I would look at what patents the fledgling startup had filed. Make sure they didn't suck, and that there wasn't lots of prior art.

You can be a start up and get bought for nothing more than a single patent that someone wants, so making sure the patents you have are not going to fall down when a bigger company wants them was important.

Often I would also be checking who beat the company to what ever they were doing, and then check those people's patent portfolio.

We didn't worry much about things like the Fat32 patent, we worried about things like hey, this isn't a real innovation these guys just read this other guys thesis paper and knocked it off. (Like Nick at Summly did)

From there a VC could decide if they were going to double down or cut their losses.

So basically a lot of NDAs ;) We're going to be doing feature lists for our last project before going to marketing, so I guess this is as good a time as any to make sure the lawyer combs though them.

Because lawyers.

Most companies don't want their developers reading patents, it's a liability. Leave that up to the lawyers.

How about a list of patent trolls and their lawyers, financiers, etc.

Like linked-in, but not voluntary.

And whenever you were about to deal with someone you'd look them up on the list to see if they were bad...

This site is completely unreadable at least on my iPad, why is tweeting and Facebooking more important than the content!?

Surely you could just do it anyway, because there's no way a patent like that would hold up in court if they tried to sue you. I realise though that obviously it shouldn't happen in the first place, and doing it anyway could incur legal costs.

Do you have the money for the legal counsel required to take it to court? If you do, what about Joe and his new startup, he might just go for the suggested settlement.

The fact that it would cost any money at all is completely ludicrous, any judge with any basic concept of logic can see that it's an obvious development of technology and therefore can't be patented. You shouldn't have to hire a lawyer to prove that.

What about using a bloom filter of common passwords? It would prevent some safe passwords from being used, but otherwise would allow for disallowing unsafe passwords without holding a dictionary of them, potentially avoiding existing patents.

We shouldn't be able to patent any idea just by running it on a "processor and memory".

I'm convinced that trademark and copyright gives us all the IP tools we need. Patents can get f'ed.

Oh great, now I have to remove this common and obvious functionality from all the web sites I have any input to.

good luck!

This one in especially good:

Specifying a set of forbidden passwords

How can one spend time and money for this?

Is there a go-to password list, if you still want to go ahead and use it?

You'd probably set a chron with crack or John the Ripper which would come with a small password list and do some common permutations and then lock accounts. Ars Technica mentioned a RockYou.com password list that is now the go to list for serious cracking. I think it would be hard to enforce this patent for sysadmins who implement their own system.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact