I need to implement a 'stop list' to prevent users selecting common passwords in a new online service.
Can anyone point me to such a list online anywhere?
Edited: Note that I'm only trying to eliminate the most common passwords, not an exhaustive dictionary. And, of course, this complements a reasonably strong password policy (length, use of non-alpha characters, etc.)
Thanks.
If it is a customer requirement to check against a list of known bad passwords then I would probably ask them to supply the list of passwords they think are bad. If they can't supply the list then I would go with the password complexity rules as suggested by others.
Doesn't the old Unix "crack" tool come with a list of common passwords? I believe it has brute-force and dictionary methods.
I think this customer needs to be beaten over the head a little. :)
The annoying thing is that I can understand and even empathise with where they're coming from. But this requirement will only cause grief and hassle in the long term (I can see, for example, a future requirement for the list of "known common passwords" to be updated on an annual - or even more frequent - basis). Password complexity requirements are known to work in the field, and even the most basic complexity requirement (such as any 3 of uppercase, lowercase, numeric or symbol) will automatically exclude the vast majority of dictionary words.
Another deal breaker is that a lot of people will use things that they are familiar with as a password. A social security number, for example, might meet a complexity requirement (numbers, letters, and a hyphen, perhaps), and would certainly never be in any hypothetical list of "known common passwords", but would also be un-secure in that it's one of the things a potential cracker would try (assuming that they either knew it or had the means to obtain it).
One online service I used once gauged password security by measuring a combination of factors: how many of each type of character was in the password, and how long the overall password was. Instant feedback was given, so you could get a good feel on whether your password was deemed good or not based on their metrics. Such an approach seems much preferable to me.
Also attractive would be using a service such as OpenID or Microsoft Passport (or whatever it's called this week) instead of implementing your own. I'm massively suspicious of services that require a user to have a separate logon for everything they access. The major risk is that the user has so many username/password combos to remember that they will end up writing them down, and also that they will end up using the same username and password for them all, so that if one - and all it takes is one - gets compromised, they're all effectively compromised. The weakest link rule applies here with knobs on. Going with a provider who specialises in this area is a Good Thing (you're free to focus on specifics of your service, you have an authentication mechanism that's known-good, etc).
Most people use Dictionary word lists for this type of thing. I can't vouch for how good these lists are ... but here are a few
If you just google "dictionary word lists" you should get a bunch of results.
Why not just enforce good password policies. Something like at least 8 characters, mixed cases, at least 1 number, and 1 non alpha-numeric character. Other than that there are a number of good dictionaries that you can compare passwords to.
Don't use a static list. Consider running John the Ripper to see if the pw is too simple.
John the Ripper
I agree that just having a strong password policy is probably a better idea.
If I really wanted to implement what you said, I think you will need to find a couple of good dictionaries. You will then want to generate all the hashes from variations on that dictionary, and then check their hash against that list. This is called a rainbow table, and in the attack world, is known as a time-memory trade off. If you don't do it this way, the check on the server will really just take too long.
Even better, might be to use a tool that generate a bunch of bad passwords from the information they filled out the form with. See CUPP as an example python program that does this.
Rather than trying to work with a list of bad passwords you would do better to use whatever method is available on your system to force password complexity, if possible. If you still want lists of bad passwords hunt around for the dictionary lists used by password crackers.
Sad story, but my best password list is one I got while examining a server of mine which got compromised.
L0phtcrack i believe came shipped w/ a list of passwords that it tried first, similarly, you could look at some analyses of Conficker.B which also had a list, albeit a short one, of passwords.