Web Application Security
Password Blacklist Aug 14 2012 05:29PM
Reed Black (reed unsafeword org) (3 replies)
Re: Password Blacklist Aug 15 2012 07:24AM
Nick Galbreath (nickg client9 com)
Hi Reed,

If you are going to do blacklisting, a good way to go is to ban
passwords that have been already been disclosed

http://dazzlepod.com/disclosure/

had a nice consolidated list of all the password disclosures that have
occurred over the last few years. One is free and the other is a
well spent $5 via paypal.

Note uncompressed it is 500MB of unique passwords. You can certainly
keep them in a database but if you want to keep it simple you can use
binary search on the file. See
https://github.com/client9/bgrep/blob/master/c/bgrep.c There are
other more exotic solutions that are more cache friendly but bgrep is
really simple to get started.

That said, everything Per Thorshein said, is also wise advice.

best,

nickg

On Tue, Aug 14, 2012 at 1:29 PM, Reed Black <reed (at) unsafeword (dot) org [email concealed]> wrote:
>
> Can anyone recommend a good password dictionary, preferably one where
> the author speaks to the method of its construction?
>
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
>
> This is for a web service with an international user base, if that
> makes a difference.
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Password Blacklist Aug 15 2012 07:11AM
Andrew van der Stock (vanderaj greebo net)
Re: Password Blacklist Aug 15 2012 06:33AM
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist Aug 15 2012 08:48AM
Reed Black (reed unsafeword org) (2 replies)
Re: Password Blacklist Aug 15 2012 07:56PM
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist Aug 16 2012 06:01AM
Snipe (snipe snipe net)
RE: Password Blacklist Aug 15 2012 10:38AM
Nigel Ball (Nigel K Ball dsl pipex com)


 

Privacy Statement
Copyright 2010, SecurityFocus