How major web companies (and banks) handle passwords quite wrong
There’s a very interesting “movement” in password handling going on for a long time, the basic idea is to encourage people NOT to use passwords that consists of letters, numbers and special characters and use VERY LONG text only.
This may sound weird, as this is exactly the opposite of what every internet-using person has been teached all over the years, even by the biggest websites on the planet, even by banks and high-risk applications.
But it’s wrong.
There is this excellent “comic” describing quite good why special chars in a password are not really good:
Have a look on the excellent talk on security.stackexchange.com about that:
http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase
The really weird thing is, that even the biggest player, even banks, paypal etc. still rely on the old-school password judging. I’ve found an excellent article that shows disturbing results of the companies password strenght meter, just have a look (click for larger picture):
Find the full article here:
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
Remember, these are some of the biggest internet-players, companies whose user accounts are extremely valueable for hackers!
Awesome.
Note: This article will get updates.
Random articles
Interesting stats on SONY’s hacked passwords
Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines
Microsoft enters post-password era with Hello (promo video)
Google I/O 2014 – HTTPS Everywhere (video)
Hacked french TV channel exposed passwords in TV interview (video, screenshots, links)
DEF CON 18 – When your computer got stolen and you can still SSH into it: “Pwned by the 0wner” (22min conference talk)
How the PHP session garbage collector really works
Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected
The SSL Heartbleed bug explained in 30 seconds