Where do I find a dictionary for password validation?

Question

I am working on a password validation algorithm that needs to check potential passwords against the dictionary. If the password or any part of it can be found in the dictio

Answer 1

I think there is no need for checking against a dictionnary, especially if you want to reject even a part of your password. English has a lot of small words and extending to multilingual dictionnaries would possibly prevent using any password of a reasonable size without haven every other letter being a 'z' 'q' or 'y': 'a' 'on' 'in' 'je' 'um' 'o' etc.

I don't fully understand why you're caring about a password in a dictionary when you can easily impose other simple rules:

The password with minimum length of 8 chars must consist of:

• 2 to 8 uppercase characters
• 2 to 8 lowercase characters
• 2 to 8 numbers
• 1 to 4 special characters (***+"%&/()?-[]{}\<> etc.)

Answer 2

I think the old program was wwwhack.. it had a few brute force dictionaries you could use as a base (they were included as flat text files I think), other than that I don't know of any places that have common PW dictionaries available to the public.

Answer 3

I got the word list from here, and loaded it into my database. Removed all words less than 3 characters.

Wrote a C# function to parse each substring of a password (forward only for now) into an xml string.

Pass the xml string to a stored proc that creates a 1 column temp table with each substring making a row.

Join the temp table to my list of words, and if any rows are returned I know the password contains a dictionary word, and I know what substrings matched.

This works well, but I think we'll end up modifying the word list a bit as it may be too restrictive.

Thanks for the help on the word list

I originally tried to go the spell checker route, but I didn't find a way to do a spell check without either a 3rd party component (redistribution was too pricey and we are selling a product), or requiring MS Word on the server.

Answer 4

Usually

• /usr/dict/words

or

• /usr/share/dict/words

depending on which unix you have.

There are more available online, such as this free multilingual dictionary

Answer 5

There are several open license general (not specific to passwords) word lists/databases. My favourite is the Princeton WordNet

Answer 6

Googling on free dictionaries gives you a lot of freely available dictionaries. If you upload them to a database, you can do a fast lookup for a known word.

However don't think it will eliminate non-brute force attacks!

You should have a look at password cracking applications! The simplest extension of the dictionary attack is to combine words. Moreover, there are other types of attacks, like replacing characters, that are close to each other on a keyboard. (For example: turn d to f.)

The best password cracking application I've seen so far is John the Ripper. If you see, what kind of attacks it uses, you can build a better password generator.

You should also study user habits, because a typical password is a bad password. For example, most users put numbers in their passphrase's end, so a strong password is, which has a number in it's middle.