RIM blacklists a bunch of common passwords for BlackBerry 10.Good. About time somebody did it.
I'm curious what percentage of passwords those 106 account for. I'd be really interested in seeing a graph.
The current password system needs to die. In the meantime, this is a good Band-Aid.
I'd go so far as to suggest keeping one of the major leaked unsalted-hash DB's handy and reject any password that's a match.
I'd stop short of suggesting a system that rejects all dictionary words, including common symbol-for-letter substitutions. Human memory's just too fragile for that to be a reasonable solution.
Unless of course all the major browser vendors start including built-in password generators/wallets. Which would create its own problem, in a single point of failure which would be easily accessed by phishing even assuming the backend was perfectly secure.
There's the
xkcd solution, of course. And I DO think it would probably be a good idea for websites to drop all this "must include at least two numbers, a symbol, and a capital letter" horseshit and encourage longer passwords instead of more convoluted ones. But Munroe's math is pretty fucking optimistic (as he seems to acknowledge in his alt text); if everybody started using "four 'random' common words" as a standard passphrase, odds are pretty fucking good they wouldn't actually be random. People would still pick common names, things on their desk, and indeed probably pick four words that were related to one another. Upshot is we'd still end up with passwords based on the same handful of words, easy to guess heuristically.
Plus, long passwords are a bitch to type into a phone.
tl;dr As always there's no simple solution to password security. Even "nuke the whole system and start over" is a really complex solution fraught with its own various drawbacks and weaknesses.