Thursday, February 11, 2010

What's a wordlist?

"You should not...". An opening phrase commonly used by security people while talking to others, while "Thou shalt not..." is used somewhere else. I've said it myself countless times, still trying to change that.

Maybe we should do a competition; the first security person who can stay away from answering "no" or saying "you should not..." for a month gets an award? I guess it would be a tough challenge to many security administrators out there!

Moving over to the most frequent topic on this blog so far: passwords. Here are a few quotes from selected various sites and policies (click the links to get to the originating site):

Google: "Problem 2: Using common passwords or words found in the dictionary"

NASA: "c. Dictionary words (i.e., English or other language) even with numerals used to replace letters."
(As far as i know this is the document Imperva referenced in their much discussed white paper on the passwords distributed after the RockYou hack, which I've written about earlier. Dr Rick Smith has some opinions to add, not forgetting Matt Weir - and many others....)

PTS (Sweden): "Ett lösenord får inte vara en vanlig teckenkombination, ett ord eller en vanlig kombination av ord som finns i ordböcker eller används i dagligt språkbruk, oberoende av språk."

SANS Institute (password policy template from 2006, PDF document):
•  The password is a word found in a dictionary (English or foreign)  
•  The password is a common usage word such as: 
o  Names of family, pets, friends, co-workers, fantasy characters, etc. 
o  Computer terms and names, commands, sites, companies, hardware, software. 
o  The words "", "sanjose", "sanfran" or any derivation. 
o  Birthdays and other personal information such as addresses and phone numbers. 
o  Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. 
o  Any of the above spelled backwards. 
o  Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Wikipedia article on Password policy:
"prohibition of words found in a dictionary or the user's personal information"

NPT/Nettvett (Norway):
"Et passord bør ikke være en vanlig tegnkombinasjon, et ord eller en vanlig kombinasjon av ord som finnes i ordbøker eller brukes i daglig språkbruk, uansett språk"
(I've written about this one earlier...)

There are many more examples to be found. I'll say they are all rather confusing, without using any hard language. :-) Can anybody tell me how many written languages that exists on this planet? Could i please get a copy of the entire dictionary for every language, so that i can figure out what kind of password I'm actually allowed to create for myself? I'm afraid it may take some time, but at least i should be able to comply with "best practice"...

These requirements, even when treated as "good advice", are completely INSANE.

If we use the correct intepretation of what a dictionary really is, it will contain very few first, middle and surnames used in Norway, names that are commonly used in passwords. Other requirements from above doesn't really make things easier either. I mean, you can't even use the longest word in the English language as part of your password!

If anyone were to say "do not use any words or phrases found in wordlists" (they exist), I really have to ask "What's a wordlist?"

I'm glad you asked. Take a look at the wordlist used by Conficker to attempt illegal access into systems.

I've created my very own wordlist, consisting of passwords found and observed over the years through my own research. It contains passwords such as Ogpdpyx4Ogpdpyx4 and Obrad100%ObradDoncicObradermaaletObradOgAndreObradOgKarinobs..... (and longer passwords as well)

I'll stop here. I'll vote for dropping any password policy requirement that contains "do not use..." and either dictionary or wordlist in the same sentence. It's just impossible to implement, control or live by, period. Anyone who would disagree?

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.