> Can anyone recommend a good password dictionary, preferably one where
> the author speaks to the method of its construction?
>
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
>
> This is for a web service with an international user base, if that
> makes a difference.
>
Personally I would advice you not to implement a specific wordlist. Instead you should look into stuff like the Dropbox zxcvbn password meter (tech.dropbox.com/?p=165) to guide your users into choosing good passwords.
You should have a decent password policy. I have no idea what you have to protect, but in almost any case on the Internet a decent policy would be minimum length 8 (maximum length should be 128+, to allow even the craziest of passphrases), 3 out of 4 character groups.
You MUST (this is not "should") store your passwords properly! That is; no plain MD5 without salting or similar. PBKDF2, Bcrypt or Scrypt with number of iterations set to values that gives acceptable server load vs # of users vs # security.
You should implement proper rate-limiting to your login system. Allowing 1 IP to try out tens - hundreds - of attempts per second per username: not good. Slowing down the time between each attempt to an account after the first 2-3-4 attempts is usually fully acceptable to the user, but makes online brute force attacks way much harder to do. There is much more logic to be applied into such rate-limiting algorithms, go search and you shall find.
Best regards,
Per Thorsheim
securitynirvana.blogspot.com
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
> the author speaks to the method of its construction?
>
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
>
> This is for a web service with an international user base, if that
> makes a difference.
>
Personally I would advice you not to implement a specific wordlist. Instead you should look into stuff like the Dropbox zxcvbn password meter (tech.dropbox.com/?p=165) to guide your users into choosing good passwords.
You should have a decent password policy. I have no idea what you have to protect, but in almost any case on the Internet a decent policy would be minimum length 8 (maximum length should be 128+, to allow even the craziest of passphrases), 3 out of 4 character groups.
You MUST (this is not "should") store your passwords properly! That is; no plain MD5 without salting or similar. PBKDF2, Bcrypt or Scrypt with number of iterations set to values that gives acceptable server load vs # of users vs # security.
You should implement proper rate-limiting to your login system. Allowing 1 IP to try out tens - hundreds - of attempts per second per username: not good. Slowing down the time between each attempt to an account after the first 2-3-4 attempts is usually fully acceptable to the user, but makes online brute force attacks way much harder to do. There is much more logic to be applied into such rate-limiting algorithms, go search and you shall find.
Best regards,
Per Thorsheim
securitynirvana.blogspot.com
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]