WebApp Sec mailing list archives
Re: Password Blacklist
From: Nick Galbreath <nickg () client9 com>
Date: Wed, 15 Aug 2012 03:24:12 -0400
Hi Reed, If you are going to do blacklisting, a good way to go is to ban passwords that have been already been disclosed http://dazzlepod.com/disclosure/ had a nice consolidated list of all the password disclosures that have occurred over the last few years. One is free and the other is a well spent $5 via paypal. Note uncompressed it is 500MB of unique passwords. You can certainly keep them in a database but if you want to keep it simple you can use binary search on the file. See https://github.com/client9/bgrep/blob/master/c/bgrep.c There are other more exotic solutions that are more cache friendly but bgrep is really simple to get started. That said, everything Per Thorshein said, is also wise advice. best, nickg On Tue, Aug 14, 2012 at 1:29 PM, Reed Black <reed () unsafeword org> wrote:
Can anyone recommend a good password dictionary, preferably one where the author speaks to the method of its construction? As part of our authentication system, I want to blacklist the most commonly used passwords. I searched for dictionaries for use with John the Ripper, hoping to use one of these. There is surprisingly little overlap in the top terms among these different dictionaries. This makes me unsure of their utility. This is for a web service with an international user base, if that makes a difference. This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Password Blacklist Reed Black (Aug 14)
- Re: Password Blacklist Andrew van der Stock (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Reed Black (Aug 15)
- RE: Password Blacklist Nigel Ball (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Snipe (Aug 16)
- Re: Password Blacklist Reed Black (Aug 15)
- Re: Password Blacklist Nick Galbreath (Aug 15)