One of my first teachers on the net was the legendary Swedish software analyser Ray Biez, I think he was 17 years old at the time. Ray would often repeat the mantra – “No security is better than lame security” – & it’s even more true today, nearly 20 years later.
Mark Burnett over @ xato.net specialises in password technology, harvesting from public sources across the web. Attached is his list of the ten thousand most popular passwords in general use today. According to Burnett, this list contains over 98% of all passwords in use everywhere. Which, considering the speed with which your average desktop PC can brute force, is a very spooky thought indeed.
Burnett harvests passwords in a variety of ways –
- I use tools such as Athena, which does massive Google searches for and collects passwords in the format “http://user:[email protected]/members”. This tool can easily gather 200,000 combos in a day but the majority of these are already in my database. I run this about once a month.
- I have a script that nightly leeches from a huge list of well-known password sharing web sites.
- I use a number of Google alerts that watch for common keylogger log formats. This is just one of many that I use. There are a surprisingly huge number of these logs that can be found via Google, although it is sometimes difficult to parse the passwords from the content.
- I use Google alerts to watch for SQL database dumps of forum and other common software databases.
- I also use Google alerts to look for passwords on pastebin.com and other related sites.
Amongst other methods. The list makes for (un)interesting reading, & is good for embarrassing those peeps you know who refuse to bother with strong passwords. Use Notepad to search for their simple passwords.
Download here: 10k most common passwords