56 Million Unhashed Passwords

Over the last few months, I’ve tried to reach someone at my ISP about concerns I have regarding password storage practices. Namely, that they store them in a form that makes them vulnerable to being exposed in plain text in the case of a data breach. After some initial research, I discovered that the issue is actually a with a vendor called CSG International and that the passwords of 56 million user accounts are currently stored improperly.

I’m announcing my first attempt at a tool to help with Diceware master password adoption. I’ve created a single-page HTML file to quickly generate Diceware passwords from dice rolls. Here is a link to the source. And here is the live project. You can tweet at me if you have suggestions, improvements, or requests.

Recently I’ve paid more attention to recommendations for memorized keys. Should I always use a number in my password? Is it really more secure to add that special character at the end every time? What are some real best practices when you’re telling people to create strong, memorable passwords? First, I’ll make some assumptions to help think about this. I’m only talking about the passwords you absolutely must memorize – Otherwise we would all be better off using a password manager of some sort.