How to Harvest Passwords

Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

For the record, here’s how to choose a secure password:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle. Even something lower down on PRTK’s dictionary list — the seven-character phonetic pattern dictionary — together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in.

EDITED TO ADD (12/5): Note that I am not actually accusing them of harvesting passwords, only pointing out that you could harvest passwords that way.

Posted on November 29, 2007 at 7:03 AM • 105 Comments