thoughts on a tool to educate users in the wake of password breaches

[Stephanie Daugherty <sdaugherty () gmail com>]

In the wake of the LinkedIn, eHarmony, and last.fm password breaches, I've
been thinking about how to make a tool that will educate users on password
security in a way that will hit home.

It's relatively cheap to do sha1 hashing of a password and then compare it
to a database of compromised hashes, like several sites are now doing. What
I'd love to see done with this is to turn this data into something that
helps people avoid stupid password mistakes.

Distribute a list of weak and previously compromised passwords as a list of
SHA1 hashes (since they are probably going to keep getting leaked anyway.).
Tag the entries with source information.
Have a simple component that can be integrated into a site's login and
password reset processes. When someone tries to log in, compare their
password to known compromised passwords at the same time you compare it to
their stored hash. If you find their password in list of compromised ones,
give them a warming message, and make them go through whatever forgot
password process your site uses.

+------------------------------------------------+
Your password is no longer valid.
This password was exposed publicly
by a security breach on $site
$link_to_news_headline

If you have used this password on
other sites, you should change
your password there a well.

As a reminder, it's a bad idea to
use the same password on more than
one site.

+------------------------------------------------+


It would be a little creepy, but I think creepy is what's needed to teach
people not to reuse passwords.

-Stephanie

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.