Despite the many, many cautionary tales we hear every day of e-mail, social media, and other Internet accounts being compromised, some people still haven’t heeded the warnings about using easily-guessed passwords. And it isn’t just the non-technical masses that are leaving themselves vulnerable.

I’ve railed in the past against the risks created, ironically, by companies having password policies that are too aggressive. But on the Internet, it’s already been established that nearly any password is vulnerable to cracking, no matter how elaborate.

Websites’ poor security often leaves them vulnerable to the bulk theft of password files—or, as in the case of the exposure at the Institute of Electrical and Electronics Engineers’ IEEE.org, sometimes passwords are just sitting there on servers unencrypted and waiting to be downloaded. Even when they’re encrypted, those password files can easily be cracked (as Dan Goodin reported) with a variety of readily-available “password recovery” tools—and thanks to software that uses the power of beefier graphics processor units and vast lists of previously cracked passwords, it’s getting increasingly easier.

Read 10 remaining paragraphs | Comments

Ars Technica » Technology Lab