[tfinniga]

You could use it to create a password strength meter for your website, and enforce a certain strength.

Let's say it is common to include a subset of the username in passwords. Doing so would decrease the password strength and be disallowed.

Also, you could look at certain usernames and compute likelihood of certain dictionary words, and disallow them. For example, a user named Bob might be unlikely to use spanish words in a password, but a user named Jose might be more likely.

Being aware of methods/info used by crackers when designing secure systems will lead to stronger systems.

[pbreit]

I just can't see how any of that is realistic or very useful. More energy needs to be spent on preventing breaches, not silly password requirements.

[tfinniga]

> More energy needs to be spent on preventing breaches

Hard to argue against that.

> not silly password requirements

You don't think that password requirements help prevent breaches?

Try this: hook up a server to the internet that's open to ssh. If you look at the ssh login attempt logs, you'll notice that you constantly have people banging against it, trying to log in as root. Yes, password requirements are a small part of overall security, but they are very helpful.

[pbreit]

Brute force attacks are too easy to mitigate. I'd like to see the energy go to defaulting against brute-force attacks.