So, the NCSC has been running a study on the prevalence of the ‘Top 1000 Passwords’. It’s useful stuff, but I wondered – just how frequent are these passwords? How can they know? Where did this list come from?
I noticed, for example, that the list included baseball, which I gather is a degenerate form of rounders. It’s certainly not what I’d expect on a UK-centric list of passwords. Similarly, chicago, and redsox were unlikely. (There are, however, cricket and wanker, so it isn’t an entirely Americanised list).
I also noticed some passwords – like rasdzv3 – that I couldn’t see any obvious reason for being particularly popular.
Anyway – I wondered – how frequent are these? What was the most frequent? Continue reading “A brief analysis of the NCSC’s “Top 1000 Passwords” list”
Okay, this this relates to my recent post on password hashing in Sitecore, and why we should move away from SHA1. Let’s say you’ve decided to use SHA512 for a brand new instance like Sitecore recommend…
When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm.
To change the hash algorithm:
- Open the web.config file and in the <membership> node, set the hashAlgorithmType setting to the appropriate value. We recommend SHA512.
Okay, funky, but how do I make the existing admin’s password work? Continue reading “Reset your Sitecore Admin password to ‘b’ when using SHA512 hashing”
Nope, not cannabis, nor potato, but rather this:
Yup, password hashes in Sitecore. Unfortunately, they’re not all that secure – but they can be. Continue reading “Hashing for fun and profit…”
Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.
This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.
Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.
Continue reading “Check Users Passwords during Registration/Login”