![]() Twitter, for instance, has created a blacklist of 370 easily guessable passwords that it won't accept, disallowing users from choosing insecure words or phrases like "Password1" or "TwitterRocks." The most common 1,000 passwords on his site, Bowes wrote in an email to me, should probably be used as a blacklist for password choices on every site.īut the real solution, Bowes writes, isn't to require users to pick convoluted, non-word passwords they'll forget or have to write down. One fix Bowes suggests: blocking users from choosing the worst passwords. ![]() The most common passwords on Christian blogging site Faithwriters included words like jesuschrist, heaven, christ, and blessed, all easy enough to guess for a hacker to guess or even easier to find with a dictionary attack that cycles through millions of word variants. Most top ten lists of common passwords include the name of the site the user is logging in to. In most lists that Bowes analyzed, "123456" was the most common password, with "password" somewhere shortly after. The real lesson from Bowes' collection: People choose terrible passwords. " As far as I know, it's the best collection of breached passwords anywhere." "Since I created it, I've had exceptionally good feedback from researchers around the world.," Bowes wrote in his blog. The site he's assembled is a wiki, so anyone can update it with new breached password lists. 37,000 more were stolen from MySpace using phishing techniques.īowes, a consultant with Dash9 security and a developer for security scanning tool NMap, says he collected the passwords to help researchers figure out how users choose passwords and make the authentication process more secure. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site's plugins. The vast majority of those millions of passwords became public after the breach of, a social networking applications site penetrated by cybercriminals using an SQL-injection. Bowes didn't steal these passwords, and they're not associated with usernames, an extra piece of data that would make listing them far more dangerous.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |