Badly implemented password security

Go to https://twitter.com/signup, right click the page, and then select “View Page Source” (FF/Google Chrome) or “View Source” (IE).  There, in all its glory, you will find Twitter’s list of forbidden passwords (all credit to Sophos who pointed out that the list was available for all to see).

For what its worth, I have long since stopped advising that people use “strong passwords”.  Rather, I encourage the use of “pass phrases”.  Unfortunately, pass phrases don’t work with web sites that limit the number of characters that you can use, or do not allow non standard characters such as spaces (sadly, there are still too many web sites that do that) but for the rest, pass phrases such as “I may move slow but I look good!” are very easy to remember, and extremely difficult to crack.

BTW, the password “password1234” is accepted by Twitter (and is assessed by the Twitter sign-up page as “strong”), as is “1password” and “!@#$%^&*()” and “twitter123” (assessed as “good”)… I’m not sure what security Twitter thinks they are achieving…

image

Published Tue, Dec 29 2009 11:35 by sandi
Filed under:

Comments

# re: Badly implemented password security

Tuesday, December 29, 2009 2:54 PM by Matt

You can't really know if this is "badly implemented" unless you know the motivation behind it.  It does exactly what it is supposed to do, prevent those passwords from being used by users.  Perhaps it could be bypassed if the same checks aren't done on the server, but that would have to be intentional.

# re: Badly implemented password security

Wednesday, December 30, 2009 3:12 AM by Slav

The password blacklist doesn't constitute bad password security. Client-side script implementing the blacklist probably gives an opportunity to bypass the check, but that will only result in a lousy password of those who makes the effort.

This is a non-issue.

# re: Badly implemented password security

Wednesday, December 30, 2009 7:25 PM by sandi

It is not a non-issue. The implementation is silly, and ineffective, and it is very worrying that a site such as Twitter, where accounts are forever under attack, should be so lax in their password requirements.

1) Why let the world see the list in the first place?

2) "Password" (and variations such as passw0rd) should be banned *completely* on all sites.

3) The use of the word "Twitter" and variations as part of password should be banned *completely* on that site.

4) To reassure users that "password1234" is a "strong" password is dangerous for the end user and encourages very bad practice - the very fact that the word "password" is included should immediately flag the password as dangerous.

4) Spaces are not accepted - bad.

5) The minimum number of characters required is only 6 - bad.