Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with.

While I'm no cryptologist, I did run a few of the passwords through HowSecureIsMyPassword.net and My1Login.net and they seemed to work out all right. According to those sites, it would take 11 quattuordecillion years or 1 trillion trillion trillion years for a computer to crack "DrefnasidRhyd-y-meirchSefydlogiad6*." Similarly, "GlaeruchdyrauGymreigeiddiaiBarcdir0**" would take 429 tredecillion years, or 94 billion trillion trillion years, respectively.

However, as Alice the programmer warns: "It's probably not a good idea to actually use this, since the wordlist is freely available along with the algorithm being used."

So it might not stop a really clever hacker from getting into your email. But it will almost certainly stop a mythic Welsh dragon from stealing your identity. Probably. I'm assuming their claws are pretty clumsy on the keyboard.

Welsh Password Generator [WheresAlice.info]

Image via Lewis Ogden/Flickr (altered)

*Google Translate tells me this means, "The ford of the horses was arranged." I don't know that I trust it—Google Translate is famously sloppy with the grammar of some Celtic languages—but it certainly sounds epic.

**Similarly, this became "Parkland was a Welsh occupation" which sounds like something you would hear on the Breton version of InfoWars. Read the rest

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation. Read the rest

40 years ago, antitrust law put strict limits on mergers and acquisitions, but since the Reagan era, these firewalls have been dismantled, and now the biggest companies grow primarily by snapping up nascent competitors and merging with rivals; Google is a poster-child for this, having only ever created two successful products in-house (search and Gmail), with all other growth coming from acquisitions and mergers. Read the rest

No one knows who wrote this Unisyn optical vote-counting machine manual that has appeared in multiple sites served by the California-based vendor, but only because Unisyn won't comment on whether they wrote it. Read the rest

The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he'll release unless you send him some cryptocurrency. Read the rest

Earlier this month on Jimmy Kimmel Live, random people on the street were asked to share their main internet password. Amazingly, some did... on camera, no less.

(Viral Viral Videos) Read the rest

Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download -- you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files. Read the rest

An analysis of passwords found in the 2009 breach of Rockyou -- 32 million accounts -- finds a large number of Biblical references ("jesus"," "heaven", "faith", etc), including a number of Bible verse references ("john316"). Read the rest

I-Dressup is a social media site aimed at teen and tween girls, where users play and interact with fashion. Six days ago, Ars Technica's Dan Goodin contacted I-Dressup to tell them that they were leaking more than 5.5 million cleartext passwords, and that a hacker had already downloaded 2.2 million of them. Read the rest

800,000 usernames and passwords from Brazzers, a giant porn site; 98 million passwords from Rambler.ru ("Russia's Yahoo") and, coming soon, the entire user database for VKontakte/VK.com, Russia's answer to Facebook. Read the rest

Gus the hacker puppeteer writes, "Last weekend was the Hackers On Planet Earth conference (where, ICYMI, Cory was the keynote address). I always come away from HOPE wishing there were easier ways to share what I learned there with friends and family. Fortunately, the Internet Society has been streaming and storing videos of HOPE talks for the past two conferences. (My own talk, on getting into the minds of everyday computer users, should be up there eventually.)" Read the rest

Hate passwords? Google does too, and may begin doing away with conventional passwords on Android devices this year. At Google I/O, the company announced the next steps in its plans to begin using a password alternative: "trust scores" that determine your creds based on various data points. Developed by Google's Google's Advanced Technology and Projects group, the Trust API will roll out to "several very large" financial institutions within the next few weeks. Read the rest

It's World Password Day and you can celebrate it by fixing your crappy passwords. Read the rest

Now that 11.7 million Ashley Madison users' passwords been shown to be crackable, we're learning that password security has not improved since the last giant dump of user passwords. Read the rest

In Tell Me Who You Are, and I Will Tell You Your Lock Pattern, Marte Løge presented some of her Master's Thesis research on the guessability of Android lock-patterns -- and guess what? Read the rest

The IRS sent extensive dossiers on 100,000 US taxpayers to identity thieves who used weak "secret security" questions to trick the agency's "Get Transcript" service. Read the rest

Ars Technica's Nate Anderson Dan Goodin follows up on Nate Anderson's excellent piece on the nuts and bolts of password cracking with a further attempt to decrypt an encrypted password file leaked from LivingSocial, this time with the aid of experts. The password file they were working on was encrypted with the relatively weak (and now deprecated) SHA1 hashing algorithm, and they were only attacking it with a single GPU on a commodity PC, and were able to extract over 90% of the passwords in the file.

The discussion of the guesswork and refinement techniques used in extracting passwords is absolutely fascinating and really is a must-read. However, the whole exercise is still a bit inconclusive -- in the end, we know that a badly encrypted password file is vulnerable to an underpowered password-cracking device. But what we need to know is whether a well-encrypted password file will stand up to a good password-cracking system.

The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses—the square of the number of words in the dict—crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict...