On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall <[email protected]> wrote: > On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin <[email protected]> wrote: > [snip] >> Here's a heretical thought: require people to change their passwords -- >> and publish the old ones. That might even be a good idea... > > I'm not sure if you were just being facetious here or if you were serious, but > you know, I think you might just be onto something here...especially > if we could do this and allow some degree of anonymity. Maybe if we > could post the passwords, run them through a password cracker for > T minutes to see if they could be cracked that way or allow people > to comment on them. "Google as a password cracker", http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/. No need to waste local cycles (someone else previously posted a similar link).
> It would give people an opportunity to teach > how to create secure passwords and to critique weak ones by > showing why they are weak. I think this would be a bad idea. I imagine it would promote stemming related attacks. If not completely anonymous and coupled with some reconnaissance (IP => Company, find some users at company.com), it could prove to be a very dangerous practice. Besides, there's plenty of password lists floating around. http://www.google.com/#q=password+list. Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
