[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)

[bill.stewart@pobox.com (Bill Stewart)]

Do people actually use vowels in their passwords?
I thought they turned them into 0, 1, 3, 4, and other l33t characters 
to satisfy "must have a number" rules.

Salted hashes are important, of course, but if you only need to crack 
one user and not all of them, then a dictionary attack with a "Top 
1000 Wimpy Passw0rds" list isn't going to have much trouble, and if 
you need a list of "A Million Wimpy Passwords and 100,000 Normal 
Variations" there's probably one out there, just in case there isn't 
some user who used "abc123" or "123456" or "password".


At 08:17 AM 11/12/2013, Guido Witmond wrote:
>On 11/12/13 17:00, David Vorick wrote:
> > Which means the current password model is broken, as we all know it
> > has been for a while. Why isn't there a stronger effort to replace
> > it with something like a universal public key system?
>
>Plug: You mean, something like this:
>         http://eccentric-authentication.org/
>Regards, Guido.

There's Bellovin and Merritt's EKE Encrypted Key Exchange from ~1993
https://en.wikipedia.org/wiki/Encrypted_key_exchange
for which the patents expired in 2011 and 2013.