Cryptosmith

Ivan Lucas of “Lockdown.co.uk” has posted an interesting summary of Password Recovery Speeds. These are scaled on the assumption that the attacker will do trial-and-error attempts of all possible permutations. I think it would be interesting to include a scale that considers ‘likely’ password selections.

I’ve been reviewing postings from the past few months that look at password selection, including a password list stolen from phpbb, a built-in list used for cracking by the Conficker worm, and a list of the “500 most common passwords from a book called Perfect Passwords. Bruce Schneier also did a thing on MySpace passwords back in 2006. Dan Klein did the classic assessment of password selection and cracking ‘way back in 1990 and it seems like peoples’ choices haven’t changed a lot since then.

Aside from speedup due to Moore’s Law, I don’t think password security has changed much since 1990.

Posted under Security | No Comments »