Slashdot Mirror

← Back to Stories (view on slashdot.org)

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org)

Posted by BeauHD on from the easy-as-1-2-3 dept.

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

71 of 136 comments (clear)

  1. pwgen -s 16, bitches. by Anonymous Coward · · Score: 5, Informative

    That is all.

    Entropy is _everything_ in passwords. Use lots of it.

    1. Re:pwgen -s 16, bitches. by chuckugly · · Score: 1

      There are actually sites out there that won't eat any password over 12 characters if you can believe that.

    2. Re: pwgen -s 16, bitches. by Arnold+Reinhold · · Score: 1

      [1]: One caveat is that some diceware dictionary contain words with less than 12.9 bits of entropy such as pairs of numbers (e.g. 21), in a case like that a naive brute force attack could actually outperform one that knows the dictionary in use.

      That's not quite right. The entropy in Diceware, or any other system that selects random words from a list, comes for the number of words in the list, not from the individual words. It is of course possible that a random Diceware passphrase could consist entirely of "words" that were numeric, or single characters or the like, and that passphrase could then be vulnerable to a brute force attack, but the odds of that happening are extremely low and it would be easy to spot and just generate another passphrase. This is not much different from the fact that a password randomly selected from alphanumeric characters could (with very low probability) come out all numeric.

    3. Re:pwgen -s 16, bitches. by hattable · · Score: 1

      Even worse, my previous bank maxed passwords out at eight chars. But instead of telling you this when registering or changing passwords, the interface simply made the input field a fixed width at eight em and fixed input length at eight. I only realized this was the case while seriously fat fingering the last few characters and enter, but still logged right in.

      --
      OMG facts!
    4. Re:pwgen -s 16, bitches. by WinstonWolfIT · · Score: 1

      Pointless. 2fa your bank and get on with your life.

    5. Re:pwgen -s 16, bitches. by Buchenskjoll · · Score: 1

      But what if the universe runs out of entropy?

      --
      -- Make America hate again!
    6. Re:pwgen -s 16, bitches. by K.+S.+Kyosuke · · Score: 1

      The original Interbase had fascinating password limitations. Eight characters, case insensitive...

      --
      Ezekiel 23:20
    7. Re:pwgen -s 16, bitches. by KozmoStevnNaut · · Score: 2

      NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

      Of course, it also uses mandatory 2-factor authentication, but still.

      --
      Eat the rich.
    8. Re:pwgen -s 16, bitches. by GNious · · Score: 1

      Based on news throughout the lifetime of NemID, this seems to be FAR from the worst issue with NemID.

    9. Re:pwgen -s 16, bitches. by Maritz · · Score: 1

      Hey no problem, fresh entropy every day.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    10. Re:pwgen -s 16, bitches. by Ol+Olsoc · · Score: 1

      That is all.

      Entropy is _everything_ in passwords. Use lots of it.

      Oh boy, it's she semi-monthly Slashdot Password thread.

      Make certain you use 5 sets of random numbers, and all special characters, and a minimum length of 1200 characters with a new password generated every 5 minutes. And for gawd's sake, never write it down.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    11. Re:pwgen -s 16, bitches. by Carewolf · · Score: 2

      NemID, the big all-encompassing public Danish login system, which is used for everything from public services to online banking, uses case insensitive passwords, which is just mind-boggling.

      Of course, it also uses mandatory 2-factor authentication, but still.

      Well, after people complaining about case-insensitive passwords, the did change. Now they only allow digits.

    12. Re: pwgen -s 16, bitches. by sound+vision · · Score: 1

      Probably cuts down on the number of support requests which I could see being expensive in a system like this. Most users would not take advantage of case anyway. And you, as a conscious user, can still make a secure password despite the limited character set.

    13. Re: pwgen -s 16, bitches. by sound+vision · · Score: 1

      Who will he switch to, Wells Fargo?

    14. Re:pwgen -s 16, bitches. by KozmoStevnNaut · · Score: 1

      I'm still using an alphanumeric password. The PIN thing is optional AFAIK.

      --
      Eat the rich.
    15. Re:pwgen -s 16, bitches. by snookiex · · Score: 1

      +1 Been there, done that

      --
      Open Source Network Inventory for the masses! Kuwaiba
    16. Re:pwgen -s 16, bitches. by Carewolf · · Score: 1

      My alphanumeric password stopped working, and when I generated a new password I was not allowed to use letters anymore :D

    17. Re:pwgen -s 16, bitches. by pslytely+psycho · · Score: 1

      God dies.....??

      --
      Donald Trump, on a crusade to make Nixon look respectable
    18. Re: pwgen -s 16, bitches. by WinstonWolfIT · · Score: 1

      This point is absurd.

  2. Re: Good reason to not have a Slashdot account. by Anonymous Coward · · Score: 1

    I disagree. Having an account aids in the conversation process. Replying to AC posts means that an AC is unlikely to receive a notice and reply.

    While slashdot accounts can be hacked, nothing of value is lost. As long as the member can prove their identity via other means.

    Signed, testing "Post Anonymously" checkbox.

  3. Not new, John the Ripper does this, just not "AI" by aberglas · · Score: 2

    Maybe this is a bit better than John (or maybe not), but John also employs "Learning Heuristics" but just calls them clever code.

  4. Rules are made to be broken by Monster_user · · Score: 1

    Teach a person to create passwords according to certain rules, and then teach a machine learning implementation those same rules, its a computer doing what it was designed to do, what it was always going to do. A human just has to teach the computer to think like a human.

    Rules create structure, consistency, something which can be automated.

    A lack of rules lends itself towards laziness.

    So we are the problem, and we must figure out how to outsmart ourselves.

    1. Re:Rules are made to be broken by Anonymous Coward · · Score: 1

      A lack of rules lends itself towards laziness.

      Granpa?! Is...is that you? Oh! I always knew I'd find you!

    2. Re:Rules are made to be broken by ColdWetDog · · Score: 1

      The problem is, when you let the website do that, the idiot dev goes "I know, I'll base it off the time stamp - that'll be easy and unique and all"

      I'm looking at YOU Experian.

      --
      Faster! Faster! Faster would be better!
  5. Those are crap passwords by DontBeAMoran · · Score: 1

    Complete words? Please.

    --
    #DeleteFacebook
  6. Not exactly cracking by mbone · · Score: 4, Insightful

    This is a dictionary attack, which is not the same as cracking, assuming that they can't make a few 100 million trials to crack into each account.

  7. Call it Machine Learning by Xylantiel · · Score: 3, Informative

    Not AI, since it is actually machine learning. It's really stunning how far the rebranding of machine learning as AI has progressed. Maybe even machine training is more appropriate. AI is just not.

    1. Re:Call it Machine Learning by AvitarX · · Score: 1

      Not that shocking.

      Machine learning and artificial intelligence are similar enough linguistically that I could see a translator using one instead of the other (context free).

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    2. Re:Call it Machine Learning by Luthair · · Score: 2

      Sad when this used to be one of the sites with the most technical background. Now we're no better than the tech blocks spamming these submissions.

    3. Re:Call it Machine Learning by Anonymous Coward · · Score: 1

      FYI: You're fighting a lost battle.

      The old term AI (artificial intelligence) includes stuff like NN (neural networks), GA (genetic algorithms) and ML (machine learning). That will never change. Give up. You've lost.

      The new terms are AGI (artificial general intelligence) and ASI (artificial super intelligence).

    4. Re:Call it Machine Learning by lorinc · · Score: 2

      From https://aaai.org/ in the description of next year's conference:

      AAAI-18 welcomes submissions reporting research that advances artificial intelligence, broadly conceived. The conference scope includes all subareas of AI and machine learning.

      Now, if you think you are such an expert in the field to say that the Association for the Advancement of Artificial Intelligence, which was founded in 1979 as an academic association, is wrong about the definition of artificial intelligence, I'd like to hear what contributions to the field you made that can back up the idea. If you did none, then just let the scientists working in the field define what AI means and contains, and accept it.

      --
      Video of some good progressive thrash music
    5. Re:Call it Machine Learning by hey! · · Score: 1

      Well, to be fair machine learning addresses the most practical near-term applications of AI: replacing human judgment in classification, and extending that to volumes of data humans can't handle.

      It may not be any kind of progress toward building something like Daneel Olivaw, but if that ever happens it probably won't happen because machines that are actually like humans are all that useful. It'll happen because someone wants to know if its possible.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:Call it Machine Learning by andydouble07 · · Score: 1

      This. I was studying various machine learning techniques over a decade ago and everyone involved talked about them as being under the umbrella of AI. Any divergence of terms happened so long ago that it's not worth recognizing anymore.

  8. Not Impressed by pubwvj · · Score: 2

    "figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. "

    That is not all that impressive given that most people use poor passwords.

    It is easy to do good passwords but not common.

    1. Re:Not Impressed by Kjella · · Score: 4, Insightful

      It's easy to do one good password. But when you have one for your email, your bank, your home machine, your work machine, facebook, linkedin, slashdot and so on you either:

      a) Use the same good password with or without a trivial modifier (hint: if your password is 4s!fFNkC_gmail, it doesn't take a genius to figure out every other password)
      b) Use a password manager (which means you're always carrying all your keys, you're lost without it etc.)
      c) Got an absurdly good memory wasted remembering tons of gibberish.
      d) Divide it into tiers and use the same not-so-important password for all the not-so-important accounts.

      My email password is unique, because it's the reset for so much else. My online bank password is unique, because it's actual money. The rest goes into buckets like "Wow, you can troll as me on forums... whatever." while LinkedIn go one tier higher like "Can drag my name through the shitter" and above that is "Can run off with my Steam, Spotify account etc." which is not directly cash but valuable none the less. There's just too many passwords to care about all of them.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Not Impressed by pubwvj · · Score: 1

      I have about 2,000 passwords that I use. It is a bother but it is the current tech. We'll all get past this soon. Yes, I fall in category (c) above. I also remember names. It makes for a good game.

  9. I'm gonna have to call bullshit on this by Snotnose · · Score: 1

    First, if your password is someone's birthday/anniversary/death day/pet name/kid name, a hacker targeting you has already tried it. Second, if you simply either A) think of a phrase and use every first letter for a password (my method); or b) think of 3-4 words and string them together (Randall Monroe's method), you ain't gonna get hacked via password guessing. Period.

    Um, assuming the website you're using has basic security protocols in place, Which Equifax has just shown ain't the case.

    1. Re:I'm gonna have to call bullshit on this by Maxo-Texas · · Score: 1

      Use words mixed with standard but arbitary punctuation and numbers.

      For example
      The quick brown fox jumped over the lazy dog.

      Tqbfjotld - probably not secure.

      T?qbfjotl9D - fairly secure now. Easy to type too.

      --
      She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
    2. Re:I'm gonna have to call bullshit on this by Anonymous Coward · · Score: 1

      Only the more common (ie google's datapiles, book texts) phrases will be vulnerable. The pool of phrases is exponentially larger than the current dictionary fashion.

      Adding a single dimension of modification to dictionary fashion only bought us some time, and TFS says it's up.

      Adding a single dimension of modification to phrases will, by virtue of the larger base, be highly resilient. Even without modification, rrrybgdts is fairly strong in 2017's conditions. With mods (eg your eg)

      However, GP's Monroe reference is an outdated joke. The comic is effectively a four-letter password. Unmodified, it's very low entropy. Praising resilience against a method no one uses is disingenuous. Small bruteforces are a lolwhynot sweep, no one bothers hiring botnets to crunch past 5~6 characters unless it's a targeted effort. A twenty-character password is like spending your entire country's defense budget on gasmasks.

      Phrases are the way to go. Good luck using a year-old cracking tool that was built on a year-old database using a, at the time, year-old google scrape. It will be aware of Rick Astley's "nggyunglyd" and other stale pop culture.

      rrrybnggyu is said nursery rhyme plus said rickroll. Take advantage of how human cognition works. A phrase (a concept) weighs one "recollection" of effort yet includes high entropy. You don't even remember the actual password, if you want to write it down you have to re-derive it from the much-easier mental concept.

      Note your example mod (several in there) becomes powerful, yes, but that dogpile costs much more complexity. It weighs more. It's an overengineered scaffold, wasting metal. Increased complexity tax means encouraging re-use, multi-location use, encouraging storage (write-down) somewhere, discouraging password cycle-out, increasing need to provide Forgot Password functionality (whether system bake-in, human IT, etc)

    3. Re:I'm gonna have to call bullshit on this by Maxo-Texas · · Score: 1

      My particular method (which I did not fully reveal) produces unique derivable passwords per site so writedown is not an issue.

      It does develop a problem over a period of several years. I.e. I have some sites that change passwords frequently and that eventually drives me to change my base pattern. No problem at first but after several base phrase changes, now it becomes a question of which base phrase was in use when I return to a site I don't even recall visiting and it knows me and requests a password. I can try a couple likely candidates and reset to the current base pattern. After that it's password reset territory.

      Purchasing a new phone also seems to set off a password storm.

      I do not like using services or apps which store passwords. They just seem to be begging on my knees to be compromised when those sites are inevitably compromised.

      --
      She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  10. AI can never match my skill. by 140Mandak262Jamuna · · Score: 4, Insightful
    I guessed all, 100%, every last code of ALL ATM Cards. OMG, I am amazing. I will post my guess of mere 10,000 numeric four digit codes used to secure the ATM cards. It will definitely contain your ATM card code. Am I not amazing.

    Yeah, true, my set has the code but does not link the code with any actual card. But, this AI thing also just guessed some possible passwords. That is all, It did not match it with any account. So, at least in that sense, I beat that thing hollow!

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:AI can never match my skill. by freeze128 · · Score: 1

      That's why my ATM PIN has 5 digits.

    2. Re:AI can never match my skill. by 140Mandak262Jamuna · · Score: 1

      Is that so? Take my guess of just 100,000 code set. Gotcha!

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. I don't get how this helps by Maxo-Texas · · Score: 2

    With limited attempts, you can't try that many passwords before the account is blocked.

    What secure sites give you unlimited attempts to sign in?

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
    1. Re:I don't get how this helps by AvitarX · · Score: 1

      Isn't that how the fappening happened?

      Apple didn't have attempt restrictions on its API access?

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  12. Re:Good reason to not have a Slashdot account. by AvitarX · · Score: 2

    The fact that you can identify bad posters and filter them out is reason enough to have an account IMO.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  13. Re:True Story by AvitarX · · Score: 1

    It's probably enough to stop people from casually using her computer.

    If that was indeed the goal, it seems fine to me.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  14. Passwords at least 14 random chars, nums, symbols. by kauaidiver · · Score: 4, Interesting

    A good estimator: https://www.grc.com/haystack.h...

    For example: abc123ABC!1234

    Search Space Depth (Alphabet): 26+26+10+33 = 95
    Search Space Length (Characters): 14 characters
    Exact Search Space Size (Count):
    (count of all possible passwords with this alphabet size and up to this password's length) 4,928,630,108,082,482,617,642,017,120
    Search Space Size (as a power of 10): 4.93 x 1027
    Time Required to Exhaustively Search this Password's Space:
    Online Attack Scenario: (Assuming one thousand guesses per second) 1.57 thousand trillion centuries
    Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 15.67 million centuries
    Massive Cracking Array Scenario:(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

  15. Trivial to defend against! by blind+biker · · Score: 1

    4 attempts: get a timeout of 1 hour. After 7 failed attempts get a timeout of 1 day. After 9 failed attempts get a timeout of 1 year.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  16. Re: Good reason to not have a Slashdot account. by ColdWetDog · · Score: 2

    That's nonsense. Slashdot could easily implement a reply notification system that doesn't rely on an explicit, persistent user account here. It's trivial to do using ...

    I take it you forgot about the beta debacle.

    'Slashdot could easily implement' is really just crazy talk.

    --
    Faster! Faster! Faster would be better!
  17. My ego is now Trumpsize by Tablizer · · Score: 3, Interesting

    I called it 3 years ago! (Well, okay C2 called it, but I get repost cred. Biggest repost ever, believe me!)

    --
    Table-ized A.I.
  18. Re:Passwords at least 16 random chars, nums by Anonymous Coward · · Score: 1

    I've been using 16-digit random alphanumeric passwords for about a decade now. I use a script that dds from /dev/urandom, calls base64, strips out the two non-alphanumeric values, and then truncates to 16 digits. It works everywhere except backwater websites that limit you to 8 characters or 4-digit pins.

    log2(95^14) = 14 * log2(95) = 91.98 bits of entropy for 14-digit alphanumeric+symbols
    log2(62^16) = 16 * log2(62) = 95.27 bits of entropy for 16-digit alphanumeric-only

  19. Somewhere out there... by Yaztromo · · Score: 1

    Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

    You know, somewhere out there a /.er is frantically trying to change their password now that /. has posted it on the front page.

    Yaz

  20. I always use poor passwords by FeelGood314 · · Score: 1

    For sites I don't care about. Most people have 3 good passwords, 1 for email, 1 for banking and one they reuse everywhere. Most people use shit passwords for work because the work password rules encourage poor passwords. Sites that actually care about security will use a single sign on service like gmail or facebook.

  21. Re:Good reason to not have a Slashdot account. by AmiMoJo · · Score: 2

    Look at creimer/cdreimer or AmiMoJo or PopeRatzo or the many other registered users here who, in my opinion, routinely post idiotic shit.

    Unlike Anonymous Coward, who seems to be suffering from multiple split personalities and politically can best be described as a Nazi communist anarcho-authoritarian ballsack.

    Still, nice to know the Pope and I are somewhat (in)famous.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  22. Re:Good reason to not have a Slashdot account. by arobatino · · Score: 1

    An account is only vulnerable if people use weak passwords, or reuse them across multiple sites (some of which are probably storing them in plaintext). People should use a unique randomly generated password for each site, storing them with a password manager (and backing it up), not try to be Rain Man and remembering all of them.

    An account can develop a reputation, which helps moderation. And the owner can be anonymous, so not vulnerable to retaliation.

    Having said all that, I can't see any good reason for requiring an account for submitting stories. They can stand or fall on their own merit.

  23. Re:Good reason to not have a Slashdot account. by Cederic · · Score: 4, Informative

    registered users here who, in my opinion, routinely post idiotic shit.

    Having my posts against my pseudonym makes it easier for people that dislike my idiotic shit to use the Slashdot 'foe' system to auto-mod me out of their sight. I'm fine with that.

    Slashdot knowing that my posts are from me means that the site can send me emails when people reply to my posts. That lets me continue a conversation.

    There are nothing but drawbacks to having an account here. There are no benefits that I can see.

    Slashdot should also go back to how it used to be and get rid of the need for an account when submitting stories.

    Well, I've highlighted a couple of benefits. I'm with you on the story submissions though, a story either stands on its own or it doesn't. Much the same as an AC comment.

  24. Re:Life Choices by Cederic · · Score: 1

    As your password, or your name?

  25. Re:Good reason to not have a Slashdot account. by esperto · · Score: 1
    The risk associated with the discussion forum account comes from people reusing passwords or having a pattern, if you use password managers with random passwords, the risk is almost non existent, but if you are really paranoid you could just use single use email accounts.

    There are benefits to having an account here and in other discussion forums, as pointed out in other answers, and the security risk comes from bad habits, not the account themselves.

  26. There has to be a better way by hyades1 · · Score: 2

    How about, after an arbitrary number of attempts, say 10, characters entered into the password window would only be accepted at about the typing speed of an average person. For real people, no discernible difference; for a hacking program, frustration.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
    1. Re:There has to be a better way by Brandydy · · Score: 1

      You should visit this page https://essayclick.net/ to find lots of cool articles and topics on related articles

    2. Re:There has to be a better way by hyades1 · · Score: 1

      Yeah, that would work.

      I've always wondered why any site that feels it necessary to protect your access by demanding a password would allow a program clearly designed for gaining unauthorized access to blast billions of possible passwords at it until one worked.

      --
      I've calculated my velocity with such exquisite precision that I have no idea where I am.
    3. Re:There has to be a better way by xfade551 · · Score: 1

      How about just an exponential cooldown timer that increases after every failed attempt, that ignores input during the cooldown period. Start the timer after the first failed attempt at 0.5 seconds, then 1, 2, 4, 8... An automated attack might even guess it right during the cooldown period, but getting a negative result, would discard the correct password.

    4. Re:There has to be a better way by hyades1 · · Score: 1

      That also sounds like an excellent idea. What really, really annoys me is that average people can come up with these in a minute or two. If they wouldn't work right out of the box, they could certainly be adapted by experts quickly enough.

      If I'm going to sign into a password-protected site, I'll either have my password or admit fairly quickly I've forgotten it, and have the site initiate whatever reset procedure is appropriate. Under no circumstances will I need a couple of billion tries to access whatever it is the site holds for me.

      --
      I've calculated my velocity with such exquisite precision that I have no idea where I am.
  27. Clickbait by GLMDesigns · · Score: 1

    Wow. It guessed linkedin passwords.

    I hope that most people have an algorithm to remember their passwords and use a simple one for non-essential sites such as LinkedIn.

    There is zero chance that an AI can guess my bank or email passwords. A little thing called entropy comes into play that AI doesn't help in breaking.

    *cought* *cought* clickbait.

    --
    If you're scared of your govt then you need to further restrict its powers
    Vote 3rd Party in 2016 and beyond
    1. Re:Clickbait by ebvwfbw · · Score: 1

      Sounds like they're using the old linked pw hash released a few years ago. That was lame. I typed in just words and I was getting hits. Like company names, government agencies... Caps, no caps... It was surprising how people didn't seem to care about their accounts. Easy to hijack and put whatever. Imagine hijacking one and put in the profile - porn star. 1990-1995 - erotic studios, CA. Man oh man, could you imagine the fun you could have with the job description? I wouldn't want to put that here because I know there could be children reading this. Imagine the slang that could be used... did a 3-1 service.

  28. Re: Good reason to not have a Slashdot account. by Monster_user · · Score: 1

    Simple solution. Use throwaway passwords on less important sites, and break your standards to create super secure passwords for sites that are more important.

  29. Re: Good reason to not have a Slashdot account. by Monster_user · · Score: 1

    I generally don't trust password managers. Too much power in one place. Too much of a risk if it got stolen.

    Hence, I use password tiers.

    A weak password for sites where it is potentially stored as plain text.

    A throw-away password for various sites I'm not concerned about losing my account or access to.

    A moderate password for sites I easily expire-able data, such as a credit card number.

    And unique and complex passwords designed to not be guessable in any form for accounts which hold sensitive information.

  30. Re:Good reason to not have a Slashdot account. by SternisheFan · · Score: 1

    I had /. email me a temporary password, but when I got to the configuring password page, no matter what I do I cannot create a new password. Constantly tells me 'current password is incorrect', and it's the temporary password /. just emailed me. Any help, eds?

  31. Re:Good reason to not have a Slashdot account. by SternisheFan · · Score: 1

    I need to retract my statement above. Someone from Slashdot has just contacted me via my connected email account and has promised to investigate the matter. We are currently trying to work out this issue. I was told that whatever the reason is for my being unable to create a new password has nothing to do with a comment made by me some years ago about reddit. I may have jumped the gun on this one, and new management at slashdot is very responsive, it seems. Thank you Logan Abbot

  32. oops by p0larity · · Score: 1

    Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

    Dammit! Now I have to change my password. Thanks PassGAN!