PwdRsch
- Karma
- 9
- Created
- January 8, 2013 (13y ago)
- Submissions
- 0
Hi, I'm Bruce K. Marshall. I've been conducting and gathering research on passwords and authentication systems since the late 90's. I started the PasswordResearch.com site as a way to share my collection of information and to encourage more collaboration between academics and IT practitioners.
I'm here to continue learning about the questions and problems people have with authentication as well as contributing my own experiences. You can also find me on Twitter @PwdRsch.
Yep, unfortunately for passphrases the maximum acceptable password length on web sites tends to be the #1 factor limiting their use. I created sample passphrases and tried them on a handful of different sites to measure…
Here you go: https://security.stackexchange.com/questions/62832/is-the-of...
They do try changing the capitalization of only the first character, but also invert the capitalization of all the characters in the supplied password. http://www.zdnet.com/article/facebook-passwords-are-not-case...
Some of the latest research on this technique: Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks https://www.ece.cmu.edu/~lbauer/papers/2016/usenixsec2016-ne...
Yes. They didn't need to know his strong password to log on, they just needed access to his mobile phone SMS in order to complete the account recovery process and change his account password to a value they chose.
It is complete idiocy to use passwords across services. Utter insanity. It is the worst possible practice imaginable, and is never, ever excusable. It's one thing to argue for improving people's password practices, but…
Here's what it says in the "How I became a password cracker" article (http://arstechnica.com/security/2013/03/how-i-became-a-passw...) on Ars from March: "Dan suggested that, in the interest of helping me get up to…
Telling people to use passphrases is a great recommendation, but you still have to spend some time teaching them how to use passphrases effectively. In the article they list several passphrases that were cracked, such…
There actually has been research on how to split passwords across multiple servers (one example http://www.passwordresearch.com/papers/paper270.html), and RSA is currently marketing a commercial product that does this.…
I used to do this same thing and never heard about pen testing firms being sued by their client. Most likely he was spinning a yarn. It is more likely that a security consulting firm will be sued if they report no…
AJ Jacobs at Esquire magazine wrote about his experience doing something similar back in December: http://www.esquire.com/features/overly-documented-life-0113
That's simply not true. Rainbow tables are still the first choice of many people trying to crack passwords, with brute force or hybrid attacks as a follow up after the common passwords have been found. It doesn't hurt…