Web Application Security
Password Blacklist Aug 14 2012 05:29PM
Reed Black (reed unsafeword org) (3 replies)
Re: Password Blacklist Aug 15 2012 07:24AM
Nick Galbreath (nickg client9 com)
Re: Password Blacklist Aug 15 2012 07:11AM
Andrew van der Stock (vanderaj greebo net)
Re: Password Blacklist Aug 15 2012 06:33AM
Per Thorsheim (per thorsheim net) (1 replies)
> Can anyone recommend a good password dictionary, preferably one where
> the author speaks to the method of its construction?
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
> This is for a web service with an international user base, if that
> makes a difference.

Personally I would advice you not to implement a specific wordlist. Instead you should look into stuff like the Dropbox zxcvbn password meter (tech.dropbox.com/?p=165) to guide your users into choosing good passwords.

You should have a decent password policy. I have no idea what you have to protect, but in almost any case on the Internet a decent policy would be minimum length 8 (maximum length should be 128+, to allow even the craziest of passphrases), 3 out of 4 character groups.

You MUST (this is not "should") store your passwords properly! That is; no plain MD5 without salting or similar. PBKDF2, Bcrypt or Scrypt with number of iterations set to values that gives acceptable server load vs # of users vs # security.

You should implement proper rate-limiting to your login system. Allowing 1 IP to try out tens - hundreds - of attempts per second per username: not good. Slowing down the time between each attempt to an account after the first 2-3-4 attempts is usually fully acceptable to the user, but makes online brute force attacks way much harder to do. There is much more logic to be applied into such rate-limiting algorithms, go search and you shall find.

Best regards,
Per Thorsheim

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]
Re: Password Blacklist Aug 15 2012 08:48AM
Reed Black (reed unsafeword org) (2 replies)
Re: Password Blacklist Aug 15 2012 07:56PM
Per Thorsheim (per thorsheim net) (1 replies)
Re: Password Blacklist Aug 16 2012 06:01AM
Snipe (snipe snipe net)
RE: Password Blacklist Aug 15 2012 10:38AM
Nigel Ball (Nigel K Ball dsl pipex com)


Privacy Statement
Copyright 2010, SecurityFocus