WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Blacklist

From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 15 Aug 2012 17:11:54 +1000
Reed,

There are many password lists out there, such as the Rock You, Top
10000, the basic JTR one (which is actually very good for its small
size), but this is the wrong approach.

Almost all passwords chosen by users that are in the Top 10,000 are <
8 characters in length. These correlate strongly with every other
account they have open as keeping multiple passwords is too difficult
for many users.

It's time to push password length right out to > 16 characters to
force the use of pass phrases. This eliminates all known password
lists, and is a safer alternative.

In time, there will be bad passphrase lists, containing well known
phrases like "To be, or not to be, that is the question:" but for now,
I haven't seen such a list. That doesn't mean it doesn't exist. I
reckon creating a rainbow table derived from a quotes dictionary would
be invaluable for those of us using such things to break passphrased
hashes.

Passwords were insecure more than 30 years ago (see the 1979 Morris
paper to prove my point back when PDP 11/70's were considered fast
instead of less capable than the average $2 store digital watch), but
we're stuck with them.

Let's not move the "worst passwords" to another set of "worst
passwords". Let's make it "worst passphrases" :)

thanks,
Andrew

On Wed, Aug 15, 2012 at 3:29 AM, Reed Black <reed () unsafeword org> wrote:


Can anyone recommend a good password dictionary, preferably one where
the author speaks to the method of its construction?

As part of our authentication system, I want to blacklist the most
commonly used passwords. I searched for dictionaries for use with John
the Ripper, hoping to use one of these. There is surprisingly little
overlap in the top terms among these different dictionaries. This
makes me unsure of their utility.

This is for a web service with an international user base, if that
makes a difference.



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: