18 comments

[ 2.6 ms ] story [ 39.0 ms ] thread
What would be interesting to know is if Twitter got this list from somewhere else, or if they actually analyze which passwords were most commonly chosen by its tens of millions of users in the past

I thought it was the journalist's job to research, not the reader's. Would it be that hard to fire up an email to Twitter and say 'hey, this is Techcrunch, we have a question...'? It's not like this is urgent news and must be published right now or become worthless...

In the New Model, it's good for a site like TC to leave obvious questions unanswered, or even a blatant error or two in the story. It triggers comments and followup stories!
Simply put, in the New Model editorial professionalism is just as irrelevant as in the Old Model.

Like the old model, editorial professionalism is simply to bring return customers and provide a larger market base to your advertisers.

"this is Techcrunch"

There's your answer!

This is a pretty silly question. Lists of most insecure passwords have been posted since the dark ages. Meanwhile, Twitter doesn't store passwords and can't analyze them (without going through contortions).
They could store plain text passwords plus a counter for each. Just so long as there's no connection to the users. They would not need that connection for this purpose.
(a) This fairly qualifies as "contortions", and (b) if an enterprising blogger found out that they were doing this, they could construct a convincing post that this was a security vulnerability (for instance, through timing).

If you like, you can also suggest that they simply SHA1 passwords, and keep a database of well-known passwords and their SHA1 hashes. But again: a lot of effort for almost no benefit. The list-of-worst-passwords is a very solved problem.

It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page.

Unless, umm, that page is itself dynamically generated, and just does the check there to avoid an extra roundtrip.

Still, well done 'leet TC h@x0rs!

Stupid TC post.
I agree. This is hardly one of TC's better articles. Why don't the people who post and vote for these just subscribe to the TC feed and read the TC comments?
Some of these are so unusual.. rush2112?
2112 is the name of a Rush album.
To all you sys admins out there: Is rush2112 really as common as some of these? I am a bit chagrined by its presence on this list as I have used that as a low security password for 10 years. In fact it is currently my password to HN!! (of course by the time you read this I will have changed it :P )
In all seriousness, I'm surprised 'jesus' isn't on the list. I've known a ton of people who use it (or some form) as their password.
The minimum password length is 6 characters, so "jesus" would be too short.
40. asdfgh 41. asdfgh
Title should be 366 Passwords You Can't Use On Twitter. There are four duplicates: abc123, asdfgh, monkey, password
as a developer, i always felt bad for @asdf who for some reason had password "asdf", too. (or something like this)