Tuesday, June 5, 2012

Twitter and the Worst Passwords of All Time

This is a post from January 2010, replayed here to make it more accessible.

If you follow security news, you will have seen stories about Twitter and its banned password list, 370-odd passwords which Twitter has embedded in the source code of its registration page so that if you try to use them, it can say that they are "too obvious". Here's one such story. And here's the original source.

As it happens, I spent some of last week reading lists of common passwords (if this sounds grim to you, you should realize that I also spent a noticeable portion of last week reading spam, so you know, after all those misspelled drugs, common passwords were looking good). As a result, the list looked oddly familiar as soon as I saw it. It's "The 500 Worst Passwords of All Time" from Mark Burnett's book Perfect Passwords. You'll find it under that name all over the net, sometimes with proper attribution, and sometimes without.

The Twitter list isn't identical. For one thing, it's shorter, mostly by the removal of passwords under 6 characters; for another, it includes more duplicates (the original list includes "0" twice, probably a formatting error for "000000" and "00000000"). There are some other additions, like "twitter" and "abcdef", probably signs that another list was added in.

You may ask how I KNOW it's the same list. After all, maybe those really ARE the 500 worst passwords of all time, and Twitter came up with them independently, but if that's the case, it's a mystery that they don't match the data from any place else. Here's a summary of three compromised password lists. My first tip-off was "srinivas", eye-catching because it's the name of a colleague, and it's staggeringly improbable as a top 500 password. Sure, it's a pretty common Indian name, but it's the only Indian name on the list, it doesn't occur on any other frequent password lists, and it's not a pop-culture reference with the kind of extraordinary popularity shown by the other entries. There's no way it should beat out "krishna" or "ganesh", popular Indian names with lots more American popularity than "srinivas". So it's more than a little suspicious to see it on these two list. Couple that with the rest of the overlaps, and there's no way Twitter made this list up.

Furthermore, if you look at uncensored password frequency data, you're awfully likely to find exclamation points (particularly on obscenities, which are extremely popular in passwords -- if you see a top 100 list with nothing obscene in it, become very, very suspicious, as they usually make into the top 10). This list has no punctuation, presumably due to filtering at some point. It was almost certainly intended to be used with case insensitivity and common substitutions (Twitter is not using it that way; "srinivas" may be too obvious, but my local Srinivas was quite chagrined to discover that "Srinivas" is A-OK in Twitter's eyes.) The top 500 list, and its Twitter descendent, do include obscenities, although much press coverage edits them out.

In any case, there's no such thing as the 500 worst passwords of all time. The passwords on any given list reflect the password rules of the site, the pop culture of the time (that all-time list was before the band Blink 182 became popular), the popular names and sports teams of the regions the users come from… There are a lot of commonalities from list to list (apparently "password", "letmein", and "123456" never get old), but there's a lot of turnover, as well. My mystic password predictor says "avatar" is on the hit list with a bullet these days.

Looking at lists of common passwords is a fun exercise in social psychology, but if you want to know something about password security, use the longest password you're allowed, and put more than one piece of punctuation, and more than one number, somewhere in the middle. This advice is not original; here's Bruce Schneier's version, with explanation. That will not only keep you off the top 500 lists, it will also go some ways towards actually keeping you secure. The odds are that using your last name will keep you off a short banned list (even if you have a staggeringly popular last name) but it won't do a thing to keep away the password crackers, who really do use information about your login and your real name to decide what to try. Avoiding this kind of list is to actually being secure as avoiding getting onto the freeway in the wrong direction is to being a good driver. It is a start, but it's hard to call it even a good start.