A great deal has already been said and written about Twitter's banned passwords list (view the page source to see the list or visit The WunderCounter's blog. Compare the banned passwords against the list I've posted - or any of the numerous bad password lists posted on the 'net - and you'll find considerable overlap. Twitter's list also corroborates my claim that laziness, brain freeze, and flawed thinking dominate password composition.
The fact that Twitter employs a black list rather than enforcing a password policy at time of registration is an example of laziness and flawed thinking on the part of a service provider. Twitter, however, is simply this month's poster child for providers who could (and most likely will) make headlines for adhering to less-than-best user administration practices.
For many security practitioners, the most exasperating aspect of events (incidents?) like this is that managing the problem is a known and relatively straightforward effort. Establish a set of policies regarding password composition, complexity, length, lifetime, and re-use. Enforce these at time of user registration and whenever users require password recovery or reset. The policies can be derived from numerous sources and commonly include:
- Enforce a minimum password length
- Ensure that complexity criteria are satisfied (see my earlier blog about composition)
- Require that users change passwords with reasonably frequency (maximum password age)
- Maintain a password history so that the same passwords are not repeatedly used
There is nothing new or unique here. Surely there are trustworthy, reliable open source projects or libraries that provide this functionality. Twitter, please grab one, conduct a secure code check on what you've grabbed, and incorporate password policy enforcement into your signon page.
Other sharing and social media services, follow suit!