On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin <[email protected]> wrote: [snip] > Here's a heretical thought: require people to change their passwords -- > and publish the old ones. That might even be a good idea...
I'm not sure if you were just being facetious here or if you were serious, but you know, I think you might just be onto something here...especially if we could do this and allow some degree of anonymity. Maybe if we could post the passwords, run them through a password cracker for T minutes to see if they could be cracked that way or allow people to comment on them. It would give people an opportunity to teach how to create secure passwords and to critique weak ones by showing why they are weak. If this were something that was voluntary as well as anonymous, I think it has a chance for the greater good. Without anonymity, we would at definitely would have to only make it voluntary, or at least grant an amnesty period where people could opt out. Otherwise, you'd end up with a lot of lawsuits and likely fired employees. But I think you may be onto something here. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
