Twitter has hard-coded some 370 words in its sign-up page that are not allowed to be used as passwords for new accounts. The list is a good addition to the password strength algorithm already implemented, but it raises several questions about its source.
There is no secret that many Internet users still employ dictionary words and easy to guess names as passwords, even for their important accounts. Back in September, we reported that an analysis performed by a security enthusiast on a database of over 850,000 accounts revealed highly insecure passwords habits.
The aforementioned study showed that 3.5% percent of people used their first name as password, while 1.6% used their last one. The notorious "123456" string was chosen by 2% of users and 0.5% settled for "password" as their access code. Fortunately, Twitter's list of banned passwords includes both of them.
In addition to common dictionary words, the list also includes the names of popular TV shows, characters, sports teams, brands, places. However, security researchers note that it is quite different from other similar lists used for brute force attacks.
"It's not clear yet where the folks at Twitter got their list of banned passwords from but it occurred to me that it might be interesting to compare it to another list of common passwords, this time a list that the bad guys are using, the 246 passwords used by Conficker," wrote Richard Wang of SophosLabs US. The result was that the two lists only have 29 passwords in common.
After removing the strings under six characters from the Conficker list, which wouldn't be accepted as passwords on Twitter by default, the researcher concludes that there are still "117 passwords that malware authors think are common but apparently Twitter does not."
Others like TechCrunch, which reported about the list, wondered if the company compiled it by analyzing the history of password use on its own service. If that was the case, then they missed at least one, which they most certainly shouldn't have - "happiness."
This word was used for authentication by a Twitter support staffer named "Crystal," whose account was compromised through brute force by an 18-year-old hacker at the beginning of this year. This allowed the attacker to hijack 33 high profile Twitter accounts, including the ones of Britney Spears, Barack Obama, Rick Sanchez, or Fox News. Ironically though, the word "crystal" made it to Twitter's list.
The complete list can be viewed by searching the source code of Twitter's sign-up page for "twttr.BANNED_PASSWORDS."