My little operation has outgrown the browser extension now and scaled up to trawl sites for masses of user names to test against those most common of passwords. My single server has grown to a reverso-brute-forcing farm with constantly rotating IP addresses churning away day and night. (Yes, even in the dark!)
I’ve automated finding an email address on the account page of various sites and trying to log into that, so I only need to get involved when I’ve got the keys to the kingdom of someone that apparently thought no harm would come from having a password like 123456, on multiple accounts.
I almost feel bad for them.
Back to reality
I think there will always be end users who create the simplest password they’re allowed to. So the onus is on us (developers, security folk, etc.) to ensure that insecure passwords simply aren’t possible.
I guess this whole (fictional) story is a preamble to a plea to the few people who are still doing security wrong.
Every site (yes you, Reddit) should be enforcing password strength. And if you ask me, every site that has allowed crap passwords in the past should be working on forcing these to be updated.
And please stop spreading the misinformation that a password must contain uppercase/lowercase letters, numbers and punctuation to be secure.
If you’re telling a user that their 26-character passphrase isn’t secure enough (ahem, Microsoft), then you’re making it harder for that user to create an easy-to-remember/hard-to-crack password.
And if you allow truly terrible passwords like [email protected]
because your strength checking logic is blunt, you’re doing your users a double-disservice (ahem, Microsoft).
I’d recommend testing the strength of a password with something clever, like zxcvbn — a “password strength estimator inspired by password crackers” by Dropbox. I first heard of zxcvbn 4 minutes ago and have been a big fan ever since. (Have a play here, it’s fascinating.)
If you really want to help your less savvy users pick a secure password, inform them of the correct horse battery stapler concept on your sign up page (5f7ty^GF$H`@2
is difficult to crack, but this is difficult to crack
is thousands of times harder).
One of these days, we’re going to see a user in the Litigious States of America successfully sue an organisation for allowing them to have an easily-guessed password. The EU will make minimum password-strength requirements mandatory, and blog posts like this will become obsolete.