WebApp Sec mailing list archives
Re: Password Blacklist
From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 15 Aug 2012 17:11:54 +1000
Reed, There are many password lists out there, such as the Rock You, Top 10000, the basic JTR one (which is actually very good for its small size), but this is the wrong approach. Almost all passwords chosen by users that are in the Top 10,000 are < 8 characters in length. These correlate strongly with every other account they have open as keeping multiple passwords is too difficult for many users. It's time to push password length right out to > 16 characters to force the use of pass phrases. This eliminates all known password lists, and is a safer alternative. In time, there will be bad passphrase lists, containing well known phrases like "To be, or not to be, that is the question:" but for now, I haven't seen such a list. That doesn't mean it doesn't exist. I reckon creating a rainbow table derived from a quotes dictionary would be invaluable for those of us using such things to break passphrased hashes. Passwords were insecure more than 30 years ago (see the 1979 Morris paper to prove my point back when PDP 11/70's were considered fast instead of less capable than the average $2 store digital watch), but we're stuck with them. Let's not move the "worst passwords" to another set of "worst passwords". Let's make it "worst passphrases" :) thanks, Andrew On Wed, Aug 15, 2012 at 3:29 AM, Reed Black <reed () unsafeword org> wrote:
Can anyone recommend a good password dictionary, preferably one where the author speaks to the method of its construction? As part of our authentication system, I want to blacklist the most commonly used passwords. I searched for dictionaries for use with John the Ripper, hoping to use one of these. There is surprisingly little overlap in the top terms among these different dictionaries. This makes me unsure of their utility. This is for a web service with an international user base, if that makes a difference. This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Password Blacklist Reed Black (Aug 14)
- Re: Password Blacklist Andrew van der Stock (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Reed Black (Aug 15)
- RE: Password Blacklist Nigel Ball (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Snipe (Aug 16)
- Re: Password Blacklist Reed Black (Aug 15)
- Re: Password Blacklist Nick Galbreath (Aug 15)