Timeline for Prevent password reusing across different sites
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 14, 2016 at 18:31 | comment | added | TTT | @PwdRsch - but then my reply would be to simply increase the minimum length by the length of the word instead. Instead of having a 15 character minimum requiring the use of the word "honey" (or other words) in the pw somwhere, you could just make it a 15 character minimum in the first place and skip the word requirement. | |
| Mar 14, 2016 at 18:28 | comment | added | TTT | @PwdRsch - Actually I was expecting you to say my comparison wasn't fair. You could argue that I should be comparing a 10 character pw with a 10 character pw which is made longer by inserting a word into it somewhere. If you compare it that way, then I would agree with you. | |
| Mar 14, 2016 at 18:22 | comment | added | PwdRsch | Most passwords do contain words, so I don't know how much practical difference there is between your choices. The requirement could produce worse passwords on average, or it might not. I'm not aware of any studies on how user behavior changes if they're required to insert a supplied word into their normal password creation process. They might just add the word on the end of their normal password or they might create a brand new password around that word with familiar modifications. However, I suspect you just want me to say that an attacker benefits from knowing a password contains a word. | |
| Mar 14, 2016 at 17:56 | comment | added | TTT | @PwdRsch - Suppose your password has a minimum length of 10. Which is easier to crack, a 10 character password which you know contains a word from a known list somewhere in the password, or a 10 character password that doesn't necessarily have any words? (Full disclosure: I'm baiting you to reply a certain way...) | |
| Mar 14, 2016 at 17:18 | comment | added | PwdRsch | I disagree that providing an attacker with a list of system words removes the advantage of inserting those words into passphrases. The attacker still must guess the correct base passphrase as well as the correct system word (and possibly where it was inserted). Assuming thousands of possible system words this exponentially increases the effort required from an attacker to find a valid passphrase. | |
| Mar 14, 2016 at 16:01 | history | answered | TTT | CC BY-SA 3.0 |