As you may have heard in the last few days, Twitter has banned 370 passwords (actually only 369, ‘password’ appears twice in the list) as ‘too obvious’ to be safe for their users. A good move in theory but why are so few words banned? And what are they? The list is available in various places online, or even just by viewing the source of the Twitter sign up page. Sadly the sports fans in this Sophos office may be out of luck with both ‘boston’ and ‘redsox’ making the banned list.
Fans of football, basketball or hockey are luckier though, no mention of ‘patriots’, ‘celtics’ or ‘bruins’, all of which are allowed but, quite correctly, flagged as weak.
It’s not clear yet where the folks at Twitter got their list of banned passwords from but it occurred to me that it might be interesting to compare it to another list of common passwords, this time a list that the bad guys are using, the 246 passwords used by Conficker. The lists have only 29 passwords in common with another 100 of the conficker list shorter than Twitter’s 6 character limit. That leaves 117 passwords that malware authors think are common but apparently Twitter does not.
Ideally Twitter would have a better system to discourage users from choosing poor passwords than a simple, and short, blacklist but to their credit they do give passwords a security rating. Their rating system for passwords that they do allow ranks passwords into 4 levels from ‘weak’ through ‘good’ and ‘strong’ to ‘very strong’. My advice is to make sure that your password is rated as Very Strong. You’ll need a long password or a combination of upper and lower case letters, numbers and special characters. If you need some help thinking up a very strong password that you can remember, Graham posted some hints on choosing strong passwords when he discussed conficker way back in January.