zxcvbn considers correcthorsebatterystaple the strongest password of the 3.I needed to crop the bar from the gmail signup form to make it fit in the table, making the difference in relative width more pronounced than on the form itself. I took these screenshots on April 3rd, 2012.A naive strength estimation goes like this: Strength is best measured as entropy, in bits: it's the number of times a space of possible passwords can be cut in half. But right now, with a few closed-source exceptions, I believe they mostly hurt. So I do think these meters could help, by encouraging stronger password decisions through direct feedback. For the rest, I'd wager a large percentage are still predictable enough to be susceptible to a modest online attack. These are only the really easy-to-guess passwords. ![]() The methodology and bias is an important qualifier - for example, since these passwords mostly come from cracked hashes, the list is biased towards crackable passwords to begin with. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. According to Mark Burnett's 2006 book, Perfect Passwords: Selection, Protection, Authentication, which counted frequencies from a few million passwords over a variety of leaks, one in nine people had a password in this top 500 list. ![]() I'm convinced these meters have the potential to help. Preventing offline cracking by selecting a suitably slow hash function with user-unique salts. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |