Twitter's 370 banned passwords

Password security is something that nearly all sites (including Neowin) take very seriously. Twitter is no exception to this either and they have 370 passwords that are banned from being used on the popular social networking site.

TechCrunch has discovered that Twitter hard coded the list into the sign-up page; all you need to do is view the source code then search for 'twttr.BANNED_PASSWORDS' and you will find the list of banned passwords.

It's a little ironic that they have these listed in such an accessible place. If an attacker were to base his attack off of a dictionary, they could remove these 370 words and cut down on the amount of time it would take to crack the account, albeit not significantly reducing the time.

The full 370 word list (actually 369 words as "password" is on the list twice) is pasted below in a text file. Remember to keep your passwords as unique as possible because the more characters, numbers and special characters (if allowed) the less likely your account will be compromised.

Download: Banned Twitter Password List

Report a problem with article
Previous Story

Psystar's new method of income: T-shirts

Next Story

GSM encryption cracked, code available on BitTorrent

52 Comments

Commenting is disabled on this article.

Interesting, my passwords are not listed there. yay me!

I do know, working as tech support for 4 years, that 12345678 is a password used on many email accounts.

I have been pondering for years now, if a 2nd password needs to be introduced, 2 passwords per account, or just use that random letter THINGY, to stop bots.

My concern is that someone may use these common words to 'hack' into accounts of people on OTHER social networking sites - clearly they're common...

This is like something I saw on the news once. The story was about a lost child and the reporter said, with no intended sarcasm; "The child may be in Spain, or anywhere else in the world."

Oh, Ok! well that narrows it down.

Although I'm for improving security but I would be annoyed as hell if someone told me I couldn't have a password although it may fit in the minimum 1 number 1 alpha 6-8 minimum standard rules

Kind of interesting to compare the downloadable list to the actual code on the Twitter page...looks like to me someone has applied some selective editing to the download one. Guess they don't want us to have our sensibilities offended.

How does it make their life easy? If it was a white list sure...but this black list doesn't change a thing for them other than telling them not to manually attempt to use the word "password" or whatever.

still1 said,
Whats the point in having the banned password easily accessible in a file. It makes the hackers life easy

Nah, they don't rely on that stuff anyway, just dictionary attacks. This reduces the number of passwords to try by a miniscule amount.

If an attacker were to base his attack off of a dictionary, they could remove these 370 words and cut down on the amount of time it would take to crack the account, albeit not significantly reducing the time.

*facepalm* then why even say that to begin with.

The time taken to create the code to skip those 370 words would probably be considerably longer than any time saved by skipping the words.

I agree, I read that and went 'WTF'. With millions of possible passwords 370 isn't so much 'not significantly reducing the time' as it is not making any difference at all.

That is a very odd list of the most high-risk low-security passwords.

While obviously they're all not-good, and some are terrible, I don't see what makes some of them soo bad. In fact, it makes me think that they've done something like a survey on dictionary-based passwords on Twitter and have revealed some of the most common words in their passwords :p

I would, of course hope that twitter doesn't store passwords but instead hashes, though!!

Danielr0y said,
-1
that would only further reduce the time it takes to hack them

By forcing hackers to rely on brute force attacks rather than dictionary attacks? :S
Dictionary attacks are several orders of a magnitude more efficient.

they could remove these 370 words and cut down on the amount of time it would take to crack the account.

right, reduce it by 0.0000001%.

He's not an arse. He has a valid point, as do posts #19 and #19.1. Quoting Bhav - "then why even say that to begin with". It's an incredibly inane addition to the TechCrunch article.

I imagine monitor should be on there. People tend to use things around them as passwords so they can remember them