> 1000 Guesses/Sec (Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about.)
In which case, sooner or later they'll probably end up using the password on a site that stores passwords in plaintext, and after that no amount of entropy will help.
Or the website hashes the password, and then stores a plaintext (or weakly encrypted) copy in the database as well so they can make sure you don't use a "similar" password on the next change. And in fact keep like 30 passwords in the database so hackers can get a good sense of how you construct your passwords. All for better security of course.
Oh that'd be a treasure trove for security researchers.
I think we should work on an opensource gem or plugin for cakephp that does this and hope a website uses it. It would be very good data for research into the psychology of choosing passwords.
> 1000 Guesses/Sec (Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about.)
reply