01.04
In Security , prt.sc , webservices | Tags: bad implementation, good idea, passwords, Security, Twitter
I’ve been crafting a post on better passwords and it’s been sitting in the drafts folder for far too long now, which usually means it will never get posted but since twitter decided to enforce password restrictions I feel I should dig parts of that old post out and rant a bit.
So twitter decided recently that there were a few password people just shouldn’t use and while right they are I have a couple of issues that are making me itch a bit:
A few passwords, that’s right not a comprehensive list of passwords by any means, and while after a quick look at the list I have to agree that if I were to do a penetration test, brute forcing user passwords with the list that twitter finds unacceptable it would provide (in all probability) some nice results, those really are common passwords and I wonder where twitter got them. Could they have compiled the list with the most used passwords in their user database? are they making my job that easy? because a password policy enforced now will not affect the billions of users that registered previously.
So this leaves me with two options: I can either use that list to brute force a service having better chance of cracking old accounts or I can grab that list and remove those entries from my dictionary file, making sure that the service’s list of bad passwords isn’t an option during the brute forcing. which leads me to my second issue: how this whole thing was implemented. You can actually see the list simply by checking the page source code at https://twitter.com/signup, heres what it looks like:
//< ![CDATA[
twttr.BANNED_PASSWORDS = ["111111","11111111","112233","121212","123123","123456","1234567","12345678","131313","232323","654321","666666","696969","777777","7777777","8675309","987654","aaaaaa","abc123","abc123","abcdef","abgrtyu","access","access14","action","albert","alexis","amanda","amateur","andrea","andrew","angela","angels","animal","anthony","apollo","apples","arsenal","arthur","asdfgh","asdfgh","ashley","asshole","august","austin","badboy","bailey","banana","barney","baseball","batman","beaver","beavis","bigcock","bigdaddy","bigdick","bigdog","bigtits","birdie","bitches","biteme","blazer","blonde","blondes","blowjob","blowme","bond007","bonnie","booboo","booger","boomer","boston","brandon","brandy","braves","brazil","bronco","broncos","bulldog","buster","butter","butthead","calvin","camaro","cameron","canada","captain","carlos","carter","casper","charles","charlie","cheese","chelsea","chester","chicago","chicken","cocacola","coffee","college","compaq","computer","cookie","cooper","corvette","cowboy","cowboys","crystal","cumming","cumshot","dakota","dallas","daniel","danielle","debbie","dennis","diablo","diamond","doctor","doggie","dolphin","dolphins","donald","dragon","dreams","driver","eagle1","eagles","edward","einstein","erotic","extreme","falcon","fender","ferrari","firebird","fishing","florida","flower","flyers","football","forever","freddy","freedom","fucked","fucker","fucking","fuckme","fuckyou","gandalf","gateway","gators","gemini","george","giants","ginger","golden","golfer","gordon","gregory","guitar","gunner","hammer","hannah","hardcore","harley","heather","helpme","hentai","hockey","hooters","horney","hotdog","hunter","hunting","iceman","iloveyou","internet","iwantu","jackie","jackson","jaguar","jasmine","jasper","jennifer","jeremy","jessica","johnny","johnson","jordan","joseph","joshua","junior","justin","killer","knight","ladies","lakers","lauren","leather","legend","letmein","letmein","little","london","lovers","maddog","madison","maggie","magnum","marine","marlboro","martin","marvin","master","matrix","matthew","maverick","maxwell","melissa","member","mercedes","merlin","michael","michelle","mickey","midnight","miller","mistress","monica","monkey","monkey","monster","morgan","mother","mountain","muffin","murphy","mustang","naked","nascar","nathan","naughty","ncc1701","newyork","nicholas","nicole","nipple","nipples","oliver","orange","packers","panther","panties","parker","password","password","password1","password12","password123","patrick","peaches","peanut","pepper","phantom","phoenix","player","please","pookie","porsche","prince","princess","private","purple","pussies","qazwsx","qwerty","qwertyui","rabbit","rachel","racing","raiders","rainbow","ranger","rangers","rebecca","redskins","redsox","redwings","richard","robert","rocket","rosebud","runner","rush2112","russia","samantha","sammy","samson","sandra","saturn","scooby","scooter","scorpio","scorpion","secret","sexsex","shadow","shannon","shaved","sierra","silver","skippy","slayer","smokey","snoopy","soccer","sophie","spanky","sparky","spider","squirt","srinivas","startrek","starwars","steelers","steven","sticky","stupid","success","suckit","summer","sunshine","superman","surfer","swimming","sydney","taylor","tennis","teresa","tester","testing","theman","thomas","thunder","thx1138","tiffany","tigers","tigger","tomcat","topgun","toyota","travis","trouble","trustno1","tucker","turtle","twitter","united","vagina","victor","victoria","viking","voodoo","voyager","walter","warrior","welcome","whatever","william","willie","wilson","winner","winston","winter","wizard","xavier","xxxxxx","xxxxxxxx","yamaha","yankee","yankees","yellow","zxcvbn","zxcvbnm","zzzzzz"];
page.controller_name = 'AccountController';
page.action_name = 'new';
twttr.form_authenticity_token = '71a074c2881258ce889d6ce7c47d26e527811612';
// FIXME: Reconcile with the kinds on the Status model.
twttr.statusKinds = {
UPDATE: 1,
SHARE: 2
};
twttr.ListPerUserLimit = 20;
//]]>
Well shouldn’t that be hidden somewhere?
Now this post isn’t really about twitter, but about password restrictions and enforcing said restriction. Twitter will be much more prone to XSS attacks than to brute force attacks (the re-captcha after a few failed attempts complicates the whole process)
The list should be not only a bit more comprehensive but less arbitrary as well (how is “zzzzzz” unacceptable but if you add another z it’s ok, even more interesting (and this is what makes me think that twitter fetched this list from their own servers) “xxxxxx” and “xxxxxxxx”… 6 and 8 x’s are not ok, but 7 x’s is just fine)
On a side note: why is “abc123″ listed twice in a row?
There are obvious places where a “good enough” password list is publicly available, If these systems are to be implemented in the WWW, you should perhaps use those lists and not some arbitrary or obviously sub-par password lists.
Password policies are a trade-off between security and usability, there are a few ways to go around that, but that’s another ring of punishment in Dante’s Inferno. I fully support password restrictions in websites, actually password restrictions should be everywhere and they should be more than a list, they should be smart (can you use your year of birth as you ATM pin? exactly!).
Passwords are hard and people are lazy, not only lazy but they play their role in a corporation down and think their facebook account being hacked can be a nuisance but nothing really serious.
Sadly for the most part IT security starts and ends with passwords. Whether you are in your cube logging on to the backoffice, at home logging in to the VPN, the system administrator elevating his privileges to super user or the hacker brute forcing a corporate pop3 server.
Sadly for the most part IT security starts and ends with passwords. Whether you are in your cube logging on to the backoffice, at home logging in to the VPN, the system administrator elevating his privileges to super user or the hacker brute forcing a corporate pop3 server.
There are a lot of misconceptions about passwords, the biggest and most dangerous one is that your password “doesn’t matter” because you are just the brand new junior accountant and you are not really doing any real work, usually the idea that your privileges are so low in the corporation that even if anyone did get your password they couldn’t do anything very disruptive with it.
Wrong.
Every password matters, and it matters a lot. Logging in with a regular user account can be the first victory for a hacker. after that it’s all a matter of time until one can find or even develop an exploit that will elevate the user privileges to something more useful in practical terms. A regular user account also has access to services that could potentially be exploited (just because the regular user cant even begin to imagine how to do it, someone else can) like a database, a web form, your email server, etc.
Another misconception is what constitutes a good password. And researching for this post I was shocked to see that both huge corporations and casual internet users have a poor grasp of what a good password is.
Let’s start with the casual internet user. Here’s a link to yahoo answers where someone asked what a good password would be. Notice the “best” answer. shocking stuff:
Numbers and letters definitely. maybe your birth year, part of your last name, pet’s name, and a part of your telephone number.Make it so that no one else in the world could figure it out in a logical way.
All the examples given? bad, bad, terrible passwords. and that last sentence just contradicts the given examples. There’s nothing more logical than a password that correlates to the users life. And The remaining answers are just as appalling.
Now let’s see what the nice people of Redmond have to say about it, here’s an excerpt:
The easiest way to remember your passwords is to write them down.It is OK to write passwords down, but keep them secret so they remain secure and effective.
Sounds silly? It is. but it comes after they explain what a good password is to them and even though they state that a good password should be easy to remember but hard to guess the truth is that using their method you will never really remember more than 2 or 3 passwords, also, that is a ridiculously small example password for this day and age. (more on that coming right up)
Okay, so what’s a good password and good password policy?
Make them long. 6 or 8 character passwords are history. You would be awe struck by how quickly a 6 or 8 character password is cracked with simple scripts that leverage in the good’ol trial and error technique. Remember that computers are getting faster, connections are also getting faster and thus the speed at which you can crack a password increases evenly with the processing power that becomes available.
Right now using a technique called rainbow tables you can rather quickly crack any password (we’re not talking about brute force any more) up to 14 characters in length.
A solid password policy isn’t easy to maintain. In your place of work your system administrator can implement and even enforce that your password can not contain any of your personal data, names, dates, addresses, and that it must contain at least 6 characters, upper and lower case and it has to be alphanumeric and it has to be changed every 30 days. I can assure you, as someone who has worked with rather large corporations that people tend to notice that every 30 days something inevitably changes and you end up with a worrisome number of accounts with the password November2009, and next month? want to guess what those will change it to?
And as someone who worked very closely with users I can tell you that this is a habit that is nurtured as soon as new people join the ranks, try to create a new password and have trouble creating a valid one. At the first exclamation of “Argh, I cant think of anything” the nice co-worker next to him or her will supply the formula.
There is really no silver bullet when it comes to password policy. it’s more about raising awareness regarding weak passwords than anything else.
If your password policy is too restrictive it will make tricks like the one described more prone, if its non existent the password will be the same as the username in most cases.
I can’t for the life of me understand why password managers have yet to be a part of a corporate password security policy.
Password managers are a big help, since they will create, store and retrieve your password. It can create passwords of significant complexity for you and you will only have to remember one password, the one that will unlock all others. The downside of using a Password Manager it simply the fact that they will be stored in your computer and if you try to access something from work or a friends computer you might find yourself forced to reset the password to access the service. Some password managers have a mobile counterpart (the one I use has an iPhone version so my passwords are always with me, still encrypted and still stored behind a huge password.)
Personally I can’t understand people who have “trust issues” with password managers. I for one prefer to have to have my 36 unique passwords look something like this ~sc1Q<<$r?ipg9DSiK than to have 36 identical passwords (even if it looks like that).
“trust issues” come from not researching the application you use and/or not understanding how it’s working under the hood.
You are not forced to use password managers to have unique and complex passwords, you can use several tricks to create strong and unique password for all the services you use. One thing you can do is chose one password that is complex it doesn’t even need to be that long, for example R(z?10AI now you can use the service name as a suffix or prefix to that password, for example:
- R(z?10AIgoogle
- R(z?10AItwitter
- R(z?10AItalkbass
- R(z?10AIthinkgeek
Look at that, 4 unique password and the smaller ones are 14 characters long. not too bad. Also, pretty easy to remember, right?
Want to raise the bar a bit? how about using the URL as part of the password?
- http://forums.freebsd.org/R(z?10AI
- http://www.thinkgeek.com/R(z?10AI
- http://www.google.com/R(z?10AI
- http://www.linkedin.com/R(z?10AI
And there you go. Pretty memorable and moderately safe passwords. smallest one? 30 characters.
I can look at those passwords with some cynicism and say that there is a logic behind them and thus they would be guessable. Sure I could, but still i belive those examples beat by a long mile whatever 96% of the users that don’t use a password manager are using right now. This will not prevent an attacker to guess all other password once they get one of them, but it sure as hell will make someones life much harder to crack that first one. What you accomplish here is you render dictionary attacks to be nearly useless due to the time that it would take to crack that password, rainbow tables are also out of the question since all passwords are over 14 characters
Another important thing regarding passwords these days is the “password reminder question” which is usually something as simple (and googable) as “what’s your mothers maiden name” or “what was your first car”. my advice? lie consistently. Want some better advice? use another password as the answer to that question, if that is too much of a hassle, answer that question with something unrelated. What’s my mother maiden name? I Love Strawberry Smoothies.
0 ResponsesLeave a comment ?