[dj-wonk]

Forgive me for doing so, but allow me to ask some possibly ignorant questions and perhaps play the devil's advocate for a moment. What about this release will help? What are the compelling research problems in the space?

We know users pick bad passwords. It seems to me the most compelling "problem" is hardly a research question -- isn't it about finding ways to encourage users pick strong passwords, not share them between sites, and not put them on sticky notes on their monitors.

Ok, putting my charitable hat again... My best guess is that researchers would like some idea about how long it takes to crack some percentage of accounts; e.g. with rainbow tables or other techniques?

The author mentioned "Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone." What directions might a researcher take this?

[m8urn]

The main reason I have always included usernames and passwords in my research is because it allows me to analyze frequency data across multiple sites. Although I could have anonymized the usernames, I thought it would be best to keep them in. There is good value there. For example, there is quite a bit of overlap between usernames and passwords. Also, how many users include all or part of their usernames in their passwords. Plus, what usernames might hackers be most likely to try out?

The main goal here is to put the data out there and let other researchers find the value in it.

[pbreit]

So how would you utilize such knowledge in the real world?

[tfinniga]

You could use it to create a password strength meter for your website, and enforce a certain strength.

Let's say it is common to include a subset of the username in passwords. Doing so would decrease the password strength and be disallowed.

Also, you could look at certain usernames and compute likelihood of certain dictionary words, and disallow them. For example, a user named Bob might be unlikely to use spanish words in a password, but a user named Jose might be more likely.

Being aware of methods/info used by crackers when designing secure systems will lead to stronger systems.

[pbreit]

I just can't see how any of that is realistic or very useful. More energy needs to be spent on preventing breaches, not silly password requirements.

[tfinniga]

> More energy needs to be spent on preventing breaches

Hard to argue against that.

> not silly password requirements

You don't think that password requirements help prevent breaches?

Try this: hook up a server to the internet that's open to ssh. If you look at the ssh login attempt logs, you'll notice that you constantly have people banging against it, trying to log in as root. Yes, password requirements are a small part of overall security, but they are very helpful.

[pbreit]

Brute force attacks are too easy to mitigate. I'd like to see the energy go to defaulting against brute-force attacks.

[hyperion2010]

The main issue is that attackers already have this data. They have a giant head start when when guessing passwords because just by looking at the username they can vastly reduce the search space. Whitehats and the public need to know how blackhats are reducing that search space. By making good faith publication and research on passwords risky (legally unattractive) we actively weaken security. I find it amusing that people find sharing password/username pairs questionable yet we don't seem to hold companies accountable when they loose millions of the things at once. Talk about a double standard. (RE: companies have lawyers and the little guy can get fucked for all anyone cares)