Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Badly implemented password security

December 28th 2009 in Uncategorized

Go to https://twitter.com/signup, right click the page, and then select “View Page Source” (FF/Google Chrome) or “View Source” (IE).  There, in all its glory, you will find Twitter’s list of forbidden passwords (all credit to Sophos who pointed out that the list was available for all to see).

For what its worth, I have long since stopped advising that people use “strong passwords”.  Rather, I encourage the use of “pass phrases”.  Unfortunately, pass phrases don’t work with web sites that limit the number of characters that you can use, or do not allow non standard characters such as spaces (sadly, there are still too many web sites that do that) but for the rest, pass phrases such as “I may move slow but I look good!” are very easy to remember, and extremely difficult to crack.

BTW, the password “password1234” is accepted by Twitter (and is assessed by the Twitter sign-up page as “strong”), as is “1password” and “!@#$%^&*()” and “twitter123” (assessed as “good”)… I’m not sure what security Twitter thinks they are achieving…

image


3 comments to...
“Badly implemented password security”

Matt

You can’t really know if this is “badly implemented” unless you know the motivation behind it. It does exactly what it is supposed to do, prevent those passwords from being used by users. Perhaps it could be bypassed if the same checks aren’t done on the server, but that would have to be intentional.



Slav

The password blacklist doesn’t constitute bad password security. Client-side script implementing the blacklist probably gives an opportunity to bypass the check, but that will only result in a lousy password of those who makes the effort.

This is a non-issue.



sandi

It is not a non-issue. The implementation is silly, and ineffective, and it is very worrying that a site such as Twitter, where accounts are forever under attack, should be so lax in their password requirements.

1) Why let the world see the list in the first place?
2) “Password” (and variations such as passw0rd) should be banned *completely* on all sites.
3) The use of the word “Twitter” and variations as part of password should be banned *completely* on that site.
4) To reassure users that “password1234″ is a “strong” password is dangerous for the end user and encourages very bad practice – the very fact that the word “password” is included should immediately flag the password as dangerous.
4) Spaces are not accepted – bad.
5) The minimum number of characters required is only 6 – bad.


  Wayne Small, the owner of sbsfaq.com called me today and asked me to look into a malvertizing incident that he experienced while at tweetmeme.com.  You can see his report here. I have not been able to reproduce the behavior that Wayne saw thus far, but do [...]

Previous Entry

    All of the following domains list XINNET as the Registrar: worldofwaracrft.com (created 15 November 2009) IP: 98.126.210.19 – Krypt Technologies worldofwaruraft.com (created 24 December 2009) IP: 174.139.248.82 – Krypt Technologies Sharing IP with worldofwancraft.com (created 17 [...]

Next Entry