Dan Kaminsky posted on twitter the following:

http://eprint.iacr.org/2010/006.pdf Is it time to deprecate 1024bit RSA for, say, 1276bit? (2048 has perf issues.)

The link Dan provided is a research paper which reports the successful factorization of the 768-bit number from the original 2001 RSA challenge. I responded to him that NIST had already deprecated the use of 1024-bit RSA in the government, and it was time for industry to follow suit. Since I posted that, I’ve been surprised that a number of people don’t understand the upcoming changes in key lengths and algorithm strengths that have been mandated by NIST. So, this post offers some information about why I can confidently say the U.S. government has deprecated certain algorithms and key lengths.

Read the rest of this entry »

Today Threatpost sent me to a news article about the fact that Twitter is protecting against bad passwords by checking for them. And, the list of bad passwords is contained right in the source of the signup page. (Line 282 in the current source of that page.) This raises two questions in my mind:

1) Where did twitter get this list? Was it their own creation, or is it based on, say, the 370 most commonly used passwords on twitter? Is Twitter making any users which use one of these passwords change their password? If I were to say, hack the source of the signup page, could I still sign up with a ‘banned’ password?

2) What passwords *should* be on the list, but aren’t? One of my favorite test passwords “asdf;lkj” isn’t on there. What password do you think should be banned, but isn’t? Let us know in the comments.