Where do I find a dictionary for password validation?

Question

I am working on a password validation algorithm that needs to check potential passwords against the dictionary. If the password or any part of it can be found in the dictionary, reject it. The function is easy enough, but where do I get the word list? Is there a web service already out there for looking up words? I have poked around some, but not found anything that screams "Pick Me!" Thanks.

EDIT: When I asked this question, I hadn't thought about specific password dictionaries like @Joe Skora that would include words that could be avoided. So, I'll extend the question to include that type of dictionary, and anything else I might not be thinking about with writing this function.

Platform is C#/ASP.Net/SQL Server. This is only one component of the algorithm for strong passwords that will need to be implemented. Thanks Again.

Answer 1

I think the old program was wwwhack.. it had a few brute force dictionaries you could use as a base (they were included as flat text files I think), other than that I don't know of any places that have common PW dictionaries available to the public.

Answer 2

There are several open license general (not specific to passwords) word lists/databases. My favourite is the Princeton WordNet

Answer 3

Usually

• /usr/dict/words

or

• /usr/share/dict/words

depending on which unix you have.

There are more avilable online, such as this free multilingual dictionary

Answer 4

A couple dictionary/wordlists are available here.

Answer 5

To verify a strong password, you should do more than just check for words in the dictionary. But if there is not a library already to do this inyour platform (what is it by the way?) - simply treat it like you want to do spell checking. If any part of the password passes a spellchecker, it fails.

Microsoft has a library for spell-checking.

If you specifically want to use a web service, consider this.

Answer 6

Check all substrings in the intended password against http://www.dictionary.com

Answer 7

Googling on free dictionaries gives you a lot of freely available dictionaries. If you upload them to a database, you can do a fast lookup for a known word.

However don't think it will eliminate non-brute force attacks!

You should have a look at password cracking applications! The simplest extension of the dictionary attack is to combine words. Moreover, there are other types of attacks, like replacing characters, that are close to each other on a keyboard. (For example: turn d to f.)

The best password cracking application I've seen so far is John the Ripper. If you see, what kind of attacks it uses, you can build a better password generator.

You should also study user habits, because a typical password is a bad password. For example, most users put numbers in their passphrase's end, so a strong password is, which has a number in it's middle.

Answer 8

I think there is no need for checking against a dictionnary, especially if you want to reject even a part of your password. English has a lot of small words and extending to multilingual dictionnaries would possibly prevent using any password of a reasonable size without haven every other letter being a 'z' 'q' or 'y': 'a' 'on' 'in' 'je' 'um' 'o' etc.

I don't fully understand why you're caring about a password in a dictionary when you can easily impose other simple rules:

The password with minimum length of 8 chars must consist of:

• 2 to 8 uppercase characters
• 2 to 8 lowercase characters
• 2 to 8 numbers
• 1 to 4 special characters (**+"%&/()?-[]{}\<>* etc.)

Answer 9

I got the word list from here, and loaded it into my database. Removed all words less than 3 characters.

Wrote a C# function to parse each substring of a password (forward only for now) into an xml string.

Pass the xml string to a stored proc that creates a 1 column temp table with each substring making a row.

Join the temp table to my list of words, and if any rows are returned I know the password contains a dictionary word, and I know what substrings matched.

This works well, but I think we'll end up modifying the word list a bit as it may be too restrictive.

Thanks for the help on the word list

I originally tried to go the spell checker route, but I didn't find a way to do a spell check without either a 3rd party component (redistribution was too pricey and we are selling a product), or requiring MS Word on the server.