What would be interesting to know is if Twitter got this list from somewhere else, or if they actually analyze which passwords were most commonly chosen by its tens of millions of users in the past
I thought it was the journalist's job to research, not the reader's. Would it be that hard to fire up an email to Twitter and say 'hey, this is Techcrunch, we have a question...'? It's not like this is urgent news and must be published right now or become worthless...
In the New Model, it's good for a site like TC to leave obvious questions unanswered, or even a blatant error or two in the story. It triggers comments and followup stories!
This is a pretty silly question. Lists of most insecure passwords have been posted since the dark ages. Meanwhile, Twitter doesn't store passwords and can't analyze them (without going through contortions).
They could store plain text passwords plus a counter for each. Just so long as there's no connection to the users. They would not need that connection for this purpose.
(a) This fairly qualifies as "contortions", and (b) if an enterprising blogger found out that they were doing this, they could construct a convincing post that this was a security vulnerability (for instance, through timing).
If you like, you can also suggest that they simply SHA1 passwords, and keep a database of well-known passwords and their SHA1 hashes. But again: a lot of effort for almost no benefit. The list-of-worst-passwords is a very solved problem.
It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page.
Unless, umm, that page is itself dynamically generated, and just does the check there to avoid an extra roundtrip.
I agree. This is hardly one of TC's better articles. Why don't the people who post and vote for these just subscribe to the TC feed and read the TC comments?
To all you sys admins out there: Is rush2112 really as common as some of these? I am a bit chagrined by its presence on this list as I have used that as a low security password for 10 years. In fact it is currently my password to HN!! (of course by the time you read this I will have changed it :P )
18 comments
[ 2.6 ms ] story [ 39.0 ms ] threadI thought it was the journalist's job to research, not the reader's. Would it be that hard to fire up an email to Twitter and say 'hey, this is Techcrunch, we have a question...'? It's not like this is urgent news and must be published right now or become worthless...
Like the old model, editorial professionalism is simply to bring return customers and provide a larger market base to your advertisers.
There's your answer!
If you like, you can also suggest that they simply SHA1 passwords, and keep a database of well-known passwords and their SHA1 hashes. But again: a lot of effort for almost no benefit. The list-of-worst-passwords is a very solved problem.
Unless, umm, that page is itself dynamically generated, and just does the check there to avoid an extra roundtrip.
Still, well done 'leet TC h@x0rs!