Web Application Security
Password Blacklist Aug 14 2012 05:29PM
Reed Black (reed unsafeword org) (3 replies)
Re: Password Blacklist Aug 15 2012 07:24AM
Nick Galbreath (nickg client9 com)
Re: Password Blacklist Aug 15 2012 07:11AM
Andrew van der Stock (vanderaj greebo net)
Reed,

There are many password lists out there, such as the Rock You, Top
10000, the basic JTR one (which is actually very good for its small
size), but this is the wrong approach.

Almost all passwords chosen by users that are in the Top 10,000 are <
8 characters in length. These correlate strongly with every other
account they have open as keeping multiple passwords is too difficult
for many users.

It's time to push password length right out to > 16 characters to
force the use of pass phrases. This eliminates all known password
lists, and is a safer alternative.

In time, there will be bad passphrase lists, containing well known
phrases like "To be, or not to be, that is the question:" but for now,
I haven't seen such a list. That doesn't mean it doesn't exist. I
reckon creating a rainbow table derived from a quotes dictionary would
be invaluable for those of us using such things to break passphrased
hashes.

Passwords were insecure more than 30 years ago (see the 1979 Morris
paper to prove my point back when PDP 11/70's were considered fast
instead of less capable than the average $2 store digital watch), but
we're stuck with them.

Let's not move the "worst passwords" to another set of "worst
passwords". Let's make it "worst passphrases" :)

thanks,
Andrew

On Wed, Aug 15, 2012 at 3:29 AM, Reed Black <reed (at) unsafeword (dot) org [email concealed]> wrote:
>
> Can anyone recommend a good password dictionary, preferably one where
> the author speaks to the method of its construction?
>
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
>
> This is for a web service with an international user base, if that
> makes a difference.
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Password Blacklist Aug 15 2012 06:33AM
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist Aug 15 2012 08:48AM
Reed Black (reed unsafeword org) (2 replies)
Re: Password Blacklist Aug 15 2012 07:56PM
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist Aug 16 2012 06:01AM
Snipe (snipe snipe net)
RE: Password Blacklist Aug 15 2012 10:38AM
Nigel Ball (Nigel K Ball dsl pipex com)


 

Privacy Statement
Copyright 2010, SecurityFocus