background preloader

Zxcvbn: realistic password strength estimation

Over the last few months, I’ve seen a password strength meter on almost every signup form I’ve encountered. Password strength meters are on fire. Here’s a question: does a meter actually help people secure their accounts? It’s less important than other areas of web security, a short sample of which include: Preventing online cracking with throttling or CAPTCHAs.Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.Securing said password hashes. With that disclaimer — yes. These are only the really easy-to-guess passwords. Strength is best measured as entropy, in bits: it’s the number of times a space of possible passwords can be cut in half. entropy = n * lg(c) This brute-force analysis is accurate for people who choose random sequences of letters, numbers and symbols. As a result, simplistic strength estimation gives bad advice. The table below compares zxcvbn to other meters. A few notes: I took these screenshots on April 3rd, 2012. Installation Data Related:  web security and js

GRC's | Password Haystacks: How Well Hidden is Your Needle?   ... and how well hidden is YOUR needle? Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered. If every possible password is tried, sooner or later yours will be found. The question is: Will that be too soon . . . or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. <! (The Haystack Calculator has been viewed 3,878,046 times since its publication.) IMPORTANT!!! It is NOT a “Password Strength Meter.” Since it could be easily confused for one, it is very important for you to understand what it is, and what it isn't: Okay.

Whitepixel breaks 28.6 billion password/sec - Zorinaq I am glad to announce, firstly, the release of whitepixel, an open source GPU-accelerated password hash auditing software for AMD/ATI graphics cards that qualifies as the world's fastest single-hash MD5 brute forcer; and secondly, that a Linux computer built with four dual-GPU AMD Radeon HD 5970 graphics cards for the purpose of running whitepixel is the first demonstration of eight AMD GPUs concurrently running this type of cryptographic workload on a single system. This software and hardware combination achieves a rate of 28.6 billion MD5 password hashes tested per second, consumes 1230 Watt at full load, and costs 2700 USD as of December 2010. The capital and operating costs of such a system are only a small fraction of running the same workload on Amazon EC2 GPU instances, as I will detail in this post. [Update 2010-12-14: whitepixel v2 achieves a higher rate of 33.1 billion password/sec on 4xHD 5970.] Software: whitepixel Overview of whitepixel That said, speed is not everything.

What's My Pass? » The Top 500 Worst Passwords of All Time From the moment people started using passwords, it didn’t take long to realize how many people picked the very same passwords over and over. Even the way people misspell words is consistent. In fact, people are so predictable that most hackers make use of lists of common passwords just like these. To give you some insight into how predictable humans are, the following is a list of the 500 most common passwords. There are some interesting passwords on this list that show how people try to be clever, but even human cleverness is predictable. “…Approximately one out of every nine people uses at least one password on the list shown in Table 9.1! Lists the top 500 worst passwords of all time, not considering character case. Source: Perfect Passwords, Mark Burnett 2005

About normalize.css Normalize.css is a small CSS file that provides better cross-browser consistency in the default styling of HTML elements. It’s a modern, HTML5-ready, alternative to the traditional CSS reset. Normalize.css is currently used in some form by Twitter Bootstrap, HTML5 Boilerplate, GOV.UK, Rdio, CSS Tricks, and many other frameworks, toolkits, and sites. Overview Normalize.css is an alternative to CSS resets. The aims of normalize.css are as follows: Preserve useful browser defaults rather than erasing them.Normalize styles for a wide range of HTML elements.Correct bugs and common browser inconsistencies.Improve usability with subtle improvements.Explain the code using comments and detailed documentation. It supports a wide range of browsers (including mobile browsers) and includes CSS that normalizes HTML5 elements, typography, lists, embedded content, forms, and tables. Despite the project being based on the principle of normalization, it uses pragmatic defaults where they are preferable.

HTML5 Boilerplate: The web's most popular front-end template Raphaël—JavaScript Library Processing.js 10,000 Top Passwords Back when I wrote Perfect Passwords, I generated a list of the top 500 worst (aka most common) passwords which seems to have propagated quite a bit across the internet, including being mentioned on Gizomodo, Boing Boing, Symantec, Laughing Squid and many other sites. Since then I have collected a large number of new passwords bringing my current list to about 6,000,000 unique username/password combos, including many of those that have been recently made public*. At some point I will make this full data set publicly available but in the meantime, I have decided to release the following list of the top 10,000 most common passwords. This list is ranked by counting how many different usernames appear on my list with the same password. Here are the files: 10,000 Most Common Passwords List10,000 Most Common Passwords with Frequency The following graph illustrates how often users select common passwords (click for larger): Here are some interesting facts gleaned from my most recent data:

HTML5 Canvas Drawing Library Exploration: Paper.js | eccesignum var currentShape="circle"; var isPaused = true; var isInitialized = false; var buttons = []; var pauseButton; var shapes = ["circle","tricuspoid","tetracuspoid","epicycloid","epicycloid 2","epicycloid 3","lissajous","lemniscate","butterfly"]; var w = 800; var h = 480; var centerX = 240; var centerY = 240; var radius_x = 150; var radius_y = 150; var theta = 0; var objects = []; var numObjects = 0; var r2d = 180/Math.PI; var d2r = Math.PI/180; var orbitSteps = 180; var orbitSpeed = Math.PI*2/orbitSteps; var objectInterval; var objectPosition; var direction = 1; var index = 0; var xVar1 = 0; var xVar2 = 0; var xVar3 = 0; var xVar4 = 0; var startingObjects = 100; var newX; var newY; initInterface(); initObjects(); onFrame(); isInitialized = true; function initInterface() { var xOff = 650; var yOff = 25; for(var i=0;i<shapes.length;i++) { var bGroup = new Group(); var btn = new Rectangle(new Point(0,0),new Size(150,20)); var btnPath = new Path.Rectangle(btn); btnPath.fillColor="#ededed"; btnPath.strokeColor="#808080"; fontSize:10,

Specialization or blind loyalty? Designing only for WordPress | Flywheel - Managed WordPress hosting for designers August 19, 2014 by Chris Wolfgang You, along with many design, dev, and creative shops around the globe, have probably at least considered making a complete shift to building only for WordPress. As a CMS, it’s relatively simple, has complexity where it counts, and clients are finally comfortable with it. Whether you’ve taken the leap, you’re still contemplating, or you’ve decided against it, this thought probably found its way into your brain at some point: The continued success of our business would depend on the continued success of WordPress. Should that scare me? Understand that it’s risky. Tom Greenwood (right), co-founder of Wholegrain Digital / Photo courtesy of Wholegrain Digital “We have this conversation a lot. Greenwood laughed, but don’t deny it: You’ve wondered about WordPress’ longevity too. “Maybe something new and exciting is going to come along and blow it out of the water,” Greenwood said. Watch for CMS newcomers. Keep your finger on the WordPress pulse. So. “Yes, I would.

paper.js animation along a path

Related: