Re: Password Blacklist

[Nick Galbreath <nickg () client9 com>]

Hi Reed,

If you are going to do blacklisting, a good way to go is to ban
passwords that have been already been disclosed

http://dazzlepod.com/disclosure/

had a nice consolidated list of all the password disclosures that have
occurred over the last few years.   One is free and the other is a
well spent $5 via paypal.

Note uncompressed it is 500MB of unique passwords.  You can certainly
keep them in a database but if you want to keep it simple you can use
binary search on the file.  See
https://github.com/client9/bgrep/blob/master/c/bgrep.c  There are
other more exotic solutions that are more cache friendly but bgrep is
really simple to get started.

That said, everything Per Thorshein said, is also wise advice.

best,

nickg

On Tue, Aug 14, 2012 at 1:29 PM, Reed Black <reed () unsafeword org> wrote:
> Can anyone recommend a good password dictionary, preferably one where
> the author speaks to the method of its construction?
>
> As part of our authentication system, I want to blacklist the most
> commonly used passwords. I searched for dictionaries for use with John
> the Ripper, hoping to use one of these. There is surprisingly little
> overlap in the top terms among these different dictionaries. This
> makes me unsure of their utility.
>
> This is for a web service with an international user base, if that
> makes a difference.
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------