a good thing!
Passwords, start from the hack and work back
So here's an interesting idea.
When end-users build a password they should ditch their own cleverness, pets, siblings, enemies, spouses, birthdates and instead check their creation against a password-cracking dictionary.
So where do you get one and how much does it cost?
Today, CrackStation made its main password dictionary available online in a pay-as-you-see-fit model. It comes in at 15GB and includes 1,493,677,782 words.
CrackStation came online recently and is described on its web site as a security awareness project started by Defuse Security.
The purpose, according to Defuse, is to:
"Raise awareness about insecure password storage in web applications, and to provide guidance to implementers of user authentication systems. By making large hash lookup tables freely available to the public, we make it easier for security researchers to demonstrate why password storage solutions, like non-salted hashing, are insecure."
Defuse Security is a one-person security research and development "organization." (quote marks are theirs not mine). A sort of Robin Hood for the security conscience. Stealing from the hackers and giving to the poor out-gunned security administrators. Defuse hopes "you will benefit from our existence in some way."
Perhaps you will and perhaps you won't.
Cleary most of the tools available at Crackstation are aimed at those responsible for the security of Web sites.
But as passwords wait out their fate, this might be one way to impress upon end-users that their passwords do indeed suck without having to tell them to their face or insulting their dog.