Also it's important to not get hung up on finding the perfect solution.
I like to use a public health approach when thinking about these
issues... we might not be able to eliminate the problem, but we can
reduce harm.
Pretty much anything is an improvement on the traditional "at least 8
characters" requirement.
Even if worst case scenario, people reused their Password Playground
generated PW elsewhere, at least that reused PW is stronger than what
they were using previously.
There's already been a lot of studies that a majority of people use
dictionary words and other easily guessable PWs, and that they use those
easily guessed PWs across multiple sites.
- Greg
On 10/15/14, 7:20 AM, Ryan Feeley wrote:
On 2014-10-15, 5:14 AM, Shane Tomlinson wrote:
On 04/10/2014 02:54, Ryan Feeley wrote:
As its a hash of your master password, it's safe to increment your
master password by one as an exception.
Here's an argument against this idea from Square:
https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/
Great post, although it makes no mention of password solutions like
SuperGenPass [1] or One Shall Pass [2] mentioned above.
“In JavaScript, 1SP hashes a structure including your email address your
universal passphrase (which you choose and mustn't forget), then hashes
the results with a host (such as "github.com"), and your settings for
that host. If you enter the same inputs on another computer, 1SP will
yield the same password.”
If you're referring to the Password Playground in general, we’re
addressing his primary concern which is "how dictionary-attack
resistant” the passwords are. I had proposed blocking common passwords a
while ago, and still support that idea.
Until there are free, reliable password managers available, we should
extend a helping hand for the Firefox Account password because of its
importance (it's likely the password that protects your Saved Passwords).
There are some passwords that should be memorable but need not be
generator-strength (like your laptop that someone needs physical access
too) and even some that should be memorable and stronger (like your
Apple ID/Google Account, and I would argue your Firefox Account).
The Password Playground is a tool that helps people practice making a
strong memorable password for the Firefox Account (not other sites).
Ryan
[1] http://www.supergenpass.com/
[2] http://oneshallpass.com/
o7QvvXTmgbo7QvvXTmgbo7QvvXTmgb
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
