password blacklisting and security

Forum Moderators: coopster

Message Too Old, No Replies

password blacklisting and security

do you do it?

ergophobe

6:04 pm on Aug 19, 2004 (gmt 0)

How many of you use a blacklist for passwords for your sites? I don't use one because to prevent a real automated attack it would need to be huge.

I've been thinking of a simple alternative to catch the most egregious examples, though, like prohibiting any password that is a substring or superstring of the username, and then having a few obvious prohibited choices.

Tom

jatar_k

6:29 pm on Aug 19, 2004 (gmt 0)

I never really have done it, though it crosses my mind everytime I contemplate security, which is all the time.

Thing is, how far is too far?
At what point will the user be annoyed?

I have never changed from the simple standard password rules only because of that.

Chris_R

6:33 pm on Aug 19, 2004 (gmt 0)

I think it depends on what you are protecting.

If you are protecting an account with money in it - it doesn't irritate me as much if there are strong password rules, but if I was asked to do this for a site just to register - it would probably irritate me.

Just my 2 cents.

The more they could lose - the more I would say it is good.

ergophobe

7:03 pm on Aug 19, 2004 (gmt 0)

I wasn't thinking of it for regular users who are just registering to use a site. I know I have some of these with Firstname for a pass and FirstnameLastname for a username, but I don't care - few privileges, no sensitive data.

I'm thinking of users with access to the database, page-edit screens, that sort of thing. These are accounts that, if hacked into, could do some major damage. On one of the sites, it could literally take years to notice the damage depending on what they did. Realistically, I doubt anyone would ever touch it for the same reason that most wikis basically don't have problems with defacing (i.e. nobody wants to), but I still worry.

Tom

ergophobe

7:17 pm on Aug 19, 2004 (gmt 0)

simple standard password rules

Those being?

- alpha-numeric plus _ and -
- more than X chars
- case-sensitive

Anything else (again, not for simple registered users)?

- must have at least one letter and at least one number?
- more than X distinct chars (i.e. disallow 'aaaaaa')?
-?

jatar_k

7:25 pm on Aug 19, 2004 (gmt 0)

a third field makes a bigger difference than stricter rules.

think brute force, dictionary, hybrid crackers

- must have at least one letter and at least one number?

wont matter, positioning is more important than their existence. jatar111 is as easy to crack as 111jatar or jatarsomething but jat1ar will put the brute force time throughthe roof comparatively.

- more than X distinct chars (i.e. disallow 'aaaaaa')?

true that will help but again you run into dictionary searches. non repetitive chars wont necessarily increase the strength of the password.

<added>plugging a dictionary in would be a good start to building better passwords.

If you really need to build great passwords you need to gen them and hand them out.

coopster

11:24 pm on Aug 19, 2004 (gmt 0)

I have never used a blacklist, but I have enforced strong password policies. Google for "strong password policy" and you'll get plenty more info. I have always liked IBM as a resource in this area, lots 'o good advice.