Password Insecurity – Wordlists/Dictionaries
You might as well throw away your secure code, packed under a secure connection (SSL), because the users who use it will have one word, easy to remember password.
Top 500 Passwords
The starting point of every password cracker (or should be). Of course the first ten from the list are: 123456, password, 12345678, 1234, pussy, 12345, dragon, qwerty, 696969, mustang. There are some small variations from top password lists around the web, but they cover up most of them.
Anyway take a look at the Top 500 Worst Passwords Of All Time to get the big picture of password complexity/safety from an average users perspective.
Wordlists
The most important resource when it comes down to password cracking. Some wordlists (and collections of wordlists): Oxford Uni Wordlists, The Argon Wordlists, Wordlists for brute forcing, Openwall Wordlists Collection, Outpost9 Wordlists, Packetstorm Wordlists. How was I to forget Milw0rm’s dictionary full of funky passwords.
Also don’t forget that some tend to use l33t passwords. Forging a l33t wordlist would also bring a higher success rate.
cat words.dic | sed s/e/3/g | sed s/a/4/g | sed s/i/1/g | sed s/o/0/g > leet.dic
Profiled Wordlists
If the above wordlists didn’t cover already all the words you needed, than you may be also interested in password profiling. One such tool (script) is Wyd which produces wordlists from given html, doc, mp3, jpeg, pdf, php files. You can imagine the abundity of uncommon words that may be extracted from files like doc, pdf, mp3.
Still not satisfied? As a last instance I would recommend the Associative Word List Generator.
The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.
Gave it a couple of tries and can say that it seems very useful. One thing that surprised me about it was that it threw some css/javascript code in the result. Parser bug? Who knows.
Password versus Pass Phrase
I think that passwords should be put in a chest and buried alongside with all the uppercase/lowercase, special characters enforcements. I really don’t want to have jk3$x@#I as a password.
Instead I would recommend developers to enforce passwords to a minimum of 10 characters. Also I would recommend sysadmins to check periodicaly the passwords with wordlists just to make sure that their systems won’t be penetrateble due to foolish passwords.
