WebApp Sec mailing list archives
Re: Password Blacklist
From: Per Thorsheim <per () thorsheim net>
Date: Wed, 15 Aug 2012 08:33:33 +0200
Can anyone recommend a good password dictionary, preferably one where the author speaks to the method of its construction? As part of our authentication system, I want to blacklist the most commonly used passwords. I searched for dictionaries for use with John the Ripper, hoping to use one of these. There is surprisingly little overlap in the top terms among these different dictionaries. This makes me unsure of their utility. This is for a web service with an international user base, if that makes a difference.
Personally I would advice you not to implement a specific wordlist. Instead you should look into stuff like the Dropbox zxcvbn password meter (tech.dropbox.com/?p=165) to guide your users into choosing good passwords. You should have a decent password policy. I have no idea what you have to protect, but in almost any case on the Internet a decent policy would be minimum length 8 (maximum length should be 128+, to allow even the craziest of passphrases), 3 out of 4 character groups. You MUST (this is not "should") store your passwords properly! That is; no plain MD5 without salting or similar. PBKDF2, Bcrypt or Scrypt with number of iterations set to values that gives acceptable server load vs # of users vs # security. You should implement proper rate-limiting to your login system. Allowing 1 IP to try out tens - hundreds - of attempts per second per username: not good. Slowing down the time between each attempt to an account after the first 2-3-4 attempts is usually fully acceptable to the user, but makes online brute force attacks way much harder to do. There is much more logic to be applied into such rate-limiting algorithms, go search and you shall find. Best regards, Per Thorsheim securitynirvana.blogspot.com This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Password Blacklist Reed Black (Aug 14)
- Re: Password Blacklist Andrew van der Stock (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Reed Black (Aug 15)
- RE: Password Blacklist Nigel Ball (Aug 15)
- Re: Password Blacklist Per Thorsheim (Aug 15)
- Re: Password Blacklist Snipe (Aug 16)
- Re: Password Blacklist Reed Black (Aug 15)
- Re: Password Blacklist Nick Galbreath (Aug 15)