Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Comment Re:passwords and language? (Score 1) 499

What happens with passwords in other languages, and more specifically forcing the use of UTF-8 double bit characters? What about using passwords in multiple languages?

Most brute force password cracking at least uses a dictionary to get at the low hanging fruit, why not increase the size of the dictionary? What are there like million words or something like that in the English language (guess) vs millions Chinese?

It would seem just branching out to Spanish, German, or whatever combinations would greatly decrease the success of brute force attacks.

I've analyzed password lists in several languages, and it depends on how the hashing algorithm encodes the password, or more specifically how the program sends the password to the hashing algorithm. Aka the MD5 of an UTF-8 encoded password is different vs. the MD5 of a codepage encoded password. That gets really interesting when someone switches between languages mid-password, (aka half of a password in a right to left language such as Arabic, and the other half in a left to right language such as English). Oh, and yes, increasing the keyspace due to multiple alphabets certainly can hurt a brute-force attack, but not as much as you would expect if the password set is mostly from the same group. There are other patterns as well. For example non-English native speakers tend to use more number replacements, (aka 1 for a 'l', 3 for an 'e', etc), while English speakers favor symbol replacements, (@ for 'a'). Also, in a Spanish set, numbers at the front of the password, such as '123password', were much more frequent then I've seen in other datasets, (most people put the numbers at the end). Like all things though, these are just averages, so it's really hard to nail down the origin of a user based on their password unless they use a non-English word in it.

Comment More Password Analysis (Score 1) 499

I managed to obtain a copy of the list, and have been doing some analysis on my blog http://reusablesec.blogspot.com/ with more to come. You can find a list of the top 100 passwords from the RockYou disclosure here: http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-list-top.html I've also been analyzing more lists such as the 10k Hotmail list that was released a couple of months ago. As for the recommendations that Imperva made, I think they are too tough on the users. Let's be honest, someone could have had a 28 character passpharse and it wouldn't have helped them since Rockyou stored all the passwords in plain text. For most people, online password cracking isn't the main problem. Phishing/keystroke loggers are much more prevalent, (due to their low cost to attackers). What this shows though is you really need to have different classes of passwords. You don't have to remember a different password for every site, (which is almost impossible without using some keyvault program), but you should use a different password for your webmail/bank accounts compared to all of the other sites.

Broke Counties Turn Failing Roads To Gravel 717

To save money, more than 20 Michigan counties have decided to turn deteriorating paved roads back to gravel. Montcalm County estimates that repaving a road costs more than $100,000 a mile. Grinding the same mile of road up and turning it into gravel costs $10,000. At least 50 miles of road have been reverted to gravel in Michigan the past three years. I can't wait until we revert back to whale oil lighting and can finally be rid of this electricity fad.

Philosophy: A route of many roads leading from nowhere to nothing. -- Ambrose Bierce