Tuesday, December 8, 2009

Twitter and Avoiding Weak Passwords

A friend and I were recently poking around the Twitter signup process, having a look at how the field validation takes place. As we were doing so, we noticed that Twitter has embedded a list of banned passwords into the source of the following page:


Just to make it easy for you, I've reproduced the list on this page. I've filtered out some of the racier ones just to keep things family friendly. If you'd like to see the full, original list, just open up the source code of https://twitter.com/signup with your favourite browser, search for "twttr.BANNED_PASSWORDS" and you'll find the entire list.

The reason I present this is because it's an interesting study of what Twitter thinks is a bad idea. I would guess that many of these passwords were taken from published lists of passwords used when cracking accounts. If you currently use passwords which resemble any of these listed below, I'd encourage you to change them as soon as possible.
  • 111111
  • 11111111
  • 112233
  • 121212
  • 123123
  • 123456
  • 1234567
  • 12345678
  • 131313
  • 232323
  • 654321
  • 666666
  • 696969
  • 777777
  • 7777777
  • 8675309
  • 987654
  • aaaaaa
  • abc123
  • abc123
  • abcdef
  • abgrtyu
  • access
  • access14
  • action
  • albert
  • alexis
  • amanda
  • amateur
  • andrea
  • andrew
  • angela
  • angels
  • animal
  • anthony
  • apollo
  • apples
  • arsenal
  • arthur
  • asdfgh
  • asdfgh
  • ashley
  • august
  • austin
  • badboy
  • bailey
  • banana
  • barney
  • baseball
  • batman
  • beaver
  • beavis
  • bigdaddy
  • bigdog
  • birdie
  • bitches
  • biteme
  • blazer
  • blonde
  • blondes
  • bond007
  • bonnie
  • booboo
  • booger
  • boomer
  • boston
  • brandon
  • brandy
  • braves
  • brazil
  • bronco
  • broncos
  • bulldog
  • buster
  • butter
  • butthead
  • calvin
  • camaro
  • cameron
  • canada
  • captain
  • carlos
  • carter
  • casper
  • charles
  • charlie
  • cheese
  • chelsea
  • chester
  • chicago
  • chicken
  • cocacola
  • coffee
  • college
  • compaq
  • computer
  • cookie
  • cooper
  • corvette
  • cowboy
  • cowboys
  • crystal
  • dakota
  • dallas
  • daniel
  • danielle
  • debbie
  • dennis
  • diablo
  • diamond
  • doctor
  • doggie
  • dolphin
  • dolphins
  • donald
  • dragon
  • dreams
  • driver
  • eagle1
  • eagles
  • edward
  • einstein
  • erotic
  • extreme
  • falcon
  • fender
  • ferrari
  • firebird
  • fishing
  • florida
  • flower
  • flyers
  • football
  • forever
  • freddy
  • freedom
  • gandalf
  • gateway
  • gators
  • gemini
  • george
  • giants
  • ginger
  • golden
  • golfer
  • gordon
  • gregory
  • guitar
  • gunner
  • hammer
  • hannah
  • hardcore
  • harley
  • heather
  • helpme
  • hockey
  • hooters
  • horney
  • hotdog
  • hunter
  • hunting
  • iceman
  • iloveyou
  • internet
  • iwantu
  • jackie
  • jackson
  • jaguar
  • jasmine
  • jasper
  • jennifer
  • jeremy
  • jessica
  • johnny
  • johnson
  • jordan
  • joseph
  • joshua
  • junior
  • justin
  • killer
  • knight
  • ladies
  • lakers
  • lauren
  • leather
  • legend
  • letmein
  • little
  • london
  • lovers
  • maddog
  • madison
  • maggie
  • magnum
  • marine
  • marlboro
  • martin
  • marvin
  • master
  • matrix
  • matthew
  • maverick
  • maxwell
  • melissa
  • member
  • mercedes
  • merlin
  • michael
  • michelle
  • mickey
  • midnight
  • miller
  • mistress
  • monica
  • monkey
  • monkey
  • monster
  • morgan
  • mother
  • mountain
  • muffin
  • murphy
  • mustang
  • naked
  • nascar
  • nathan
  • naughty
  • ncc1701
  • newyork
  • nicholas
  • nicole
  • nipple
  • nipples
  • oliver
  • orange
  • packers
  • panther
  • panties
  • parker
  • password
  • password
  • password1
  • password12
  • password123
  • patrick
  • peaches
  • peanut
  • pepper
  • phantom
  • phoenix
  • player
  • please
  • pookie
  • porsche
  • prince
  • princess
  • private
  • purple
  • pussies
  • qazwsx
  • qwerty
  • qwertyui
  • rabbit
  • rachel
  • racing
  • raiders
  • rainbow
  • ranger
  • rangers
  • rebecca
  • redskins
  • redsox
  • redwings
  • richard
  • robert
  • rocket
  • rosebud
  • runner
  • rush2112
  • russia
  • samantha
  • sammy
  • samson
  • sandra
  • saturn
  • scooby
  • scooter
  • scorpio
  • scorpion
  • secret
  • sexsex
  • shadow
  • shannon
  • shaved
  • sierra
  • silver
  • skippy
  • slayer
  • smokey
  • snoopy
  • soccer
  • sophie
  • spanky
  • sparky
  • spider
  • squirt
  • srinivas
  • startrek
  • starwars
  • steelers
  • steven
  • sticky
  • stupid
  • success
  • summer
  • sunshine
  • superman
  • surfer
  • swimming
  • sydney
  • taylor
  • tennis
  • teresa
  • tester
  • testing
  • theman
  • thomas
  • thunder
  • thx1138
  • tiffany
  • tigers
  • tigger
  • tomcat
  • topgun
  • toyota
  • travis
  • trouble
  • trustno1
  • tucker
  • turtle
  • twitter
  • united
  • vagina
  • victor
  • victoria
  • viking
  • voodoo
  • voyager
  • walter
  • warrior
  • welcome
  • whatever
  • william
  • willie
  • wilson
  • winner
  • winston
  • winter
  • wizard
  • xavier
  • xxxxxx
  • xxxxxxxx
  • yamaha
  • yankee
  • yankees
  • yellow
  • zxcvbn
  • zxcvbnm
  • zzzzzz

9 comments:

Chris said...

Thanks for the post, also we must try to change the password at least once a year with a new one. I use Roboform and create complex passwords.

blogje said...

fortunately you still can use ****** as password...

Окна said...

Interesting where they got this list from. If they analyzed the passwords their users used most often, then that would mean that they store the passwords not hashed, and that's probably a security issue. On the other hand, if they got it from somewhere else, I wonder where.

Anonymous said...

Funny that the above list is censored, I suppose as to not offend the squeamish (or the Blogger ToS...). The source code is much more X-rated. The duplicates are duly reproduced, though.

Eric said...

interesting that xxxxxx (6 xs) and xxxxxxxx (8xs) are explicitly banned. Which means xxxxxxx (7xs) is okay.

Talk about arbitrary.

Anonymous said...

This is not the full list. To see the full list, goto the sign up page and view-source. Some of them are quite explicit. ;X

test said...

@Anonymous That is correct. I figured I'd keep this list "family friendly". ;)

Caitlin Backlinker said...

This is a helpful and not to mention funny post. Funny because of the passwords that people come up with and also the comments contributed.

usabestbuystores said...

Thanks for the post, also we must try to change the password at least once a year with a new one. I use Roboform and create complex passwords.