Where to find a list of bad passwords?
I need to implement a 'stop list' to prevent users selecting common passwords in a new online service.
Can anyone point me to such a list online anywhere?
Edited: Note that I'm only trying to eliminate the most common passwords, not an exhaustive dictionary. And, of course, this complements a reasonably strong password policy (length, use of non-alpha characters, etc.)
Thanks.
Solution 1:
If it is a customer requirement to check against a list of known bad passwords then I would probably ask them to supply the list of passwords they think are bad. If they can't supply the list then I would go with the password complexity rules as suggested by others.
Solution 2:
Doesn't the old Unix "crack" tool come with a list of common passwords? I believe it has brute-force and dictionary methods.
Solution 3:
I think this customer needs to be beaten over the head a little. :)
The annoying thing is that I can understand and even empathise with where they're coming from. But this requirement will only cause grief and hassle in the long term (I can see, for example, a future requirement for the list of "known common passwords" to be updated on an annual - or even more frequent - basis). Password complexity requirements are known to work in the field, and even the most basic complexity requirement (such as any 3 of uppercase, lowercase, numeric or symbol) will automatically exclude the vast majority of dictionary words.
Another deal breaker is that a lot of people will use things that they are familiar with as a password. A social security number, for example, might meet a complexity requirement (numbers, letters, and a hyphen, perhaps), and would certainly never be in any hypothetical list of "known common passwords", but would also be un-secure in that it's one of the things a potential cracker would try (assuming that they either knew it or had the means to obtain it).
One online service I used once gauged password security by measuring a combination of factors: how many of each type of character was in the password, and how long the overall password was. Instant feedback was given, so you could get a good feel on whether your password was deemed good or not based on their metrics. Such an approach seems much preferable to me.
Also attractive would be using a service such as OpenID or Microsoft Passport (or whatever it's called this week) instead of implementing your own. I'm massively suspicious of services that require a user to have a separate logon for everything they access. The major risk is that the user has so many username/password combos to remember that they will end up writing them down, and also that they will end up using the same username and password for them all, so that if one - and all it takes is one - gets compromised, they're all effectively compromised. The weakest link rule applies here with knobs on. Going with a provider who specialises in this area is a Good Thing (you're free to focus on specifics of your service, you have an authentication mechanism that's known-good, etc).
Solution 4:
Most people use Dictionary word lists for this type of thing. I can't vouch for how good these lists are ... but here are a few
If you just google "dictionary word lists" you should get a bunch of results.
Solution 5:
Why not just enforce good password policies. Something like at least 8 characters, mixed cases, at least 1 number, and 1 non alpha-numeric character. Other than that there are a number of good dictionaries that you can compare passwords to.