Jakob Nielsen today wrote an article calling for all log-in forms to display passwords in plaintext, rather than masking them with bullets or stars. He argues that this increases usability (users feel more confident because they can see their password as they type it), and also increases security (a more confident user will choose stronger [...]
Jimmy Ruska has taken the time to combine data from 3 compromised-password lists, and the results are pretty interesting.
If an attacker can try just a single password against every user on your web application, he’ll compromise about 1% of them. Even with a fairly stringent 3-attempt lockout policy, about 2-3% of your users will be [...]
Newly released RubyGem Haddock offers to generate easy-to-remember passwords, but how secure are they?
Haddock-generated passwords are of the form {word}{number}{symbol}{word}, and are generated to be at-most as long as a user-specified length. So for example, an 8-character Haddock password might be “amy7@rax”.
For a relatively low-security password, like you might use for your Twitter account, this is [...]