Cenzic 232 Patent
Paid Advertising
web application security lab

US Cities Dictionary

Born from much frustration out of not seeing this anywhere else I finally created a dictionary file for all the US cities. I really couldn’t believe such a thing wasn’t already floating around. Tons of companies use US city names as names for hardware devices, passwords for networking devices, and so on. Anyway, it finally came to a head the other day when I was presented with a secret question that said “What is your city of birth?” Well, generally speaking you know that it has to be one out of around 20,000 cities in the US, so if they don’t have any brute force detection on the secret question you can brute force that pretty easily (10,000 guesses on average per account - which only takes about 1/2 an hour if you automate it).

So I looked around places like Packetstorm’s wordlist page and a few other places and finally just decided it was easier to rip one of the GEOIP databases apart and generate my own. So if anyone else has had the same problems, never fear - you can just download the list of US Cities here. Hopefully that will make someone else’s life easier. Happy auditing!

15 Responses to “US Cities Dictionary”

  1. mckt Says:

    Merged that list with the top 2k cities by population, then sorted it. Hopefully gives you faster cracking by placing the cities with the highest likelihood at the top:

    http://skeptikal.org/repository/us_cities_sorted.gz

    I’ll put up a more accurate sort once I finish processing all the census data.

  2. mckt Says:

    A few fancy lines of perl later, a new list is up. For the sake of the sort, I considered things like Springfield Ohio and Springfield Illinois to be the same city and added their populations together.

    http://skeptikal.org/repository/us_cities_by_pop.gz

    There’s still some flaws with both mine and yours, in that either New York City and New York may be a correct answer to the question. There also are a lot of cases with “village”, “town” and others. I left them in, because they’re easy enough to strip out in the attack script, but not as easy to add back.

    Then there’s the capitalization issues, but that obviously depends on whether the target application is case sensitive or not. My list is all lowercase, to save disk space :)

  3. Andrew Says:

    Iím pretty sure that that information is in the US census TIGER/Line data set (http://www.census.gov/geo/www/tiger/). It definitely has the name of every road/street in the US.

  4. Kyo Says:

    This is precisely what’s wrong with security questions. They’re not secure at all. Most of the information is fairly easy to option through research or social engineering. What normal person is going to think about their security question when you ask them what their favorite book is? Hell, make a list of 100 top selling books in english language and you have a fairly good chance it’s in there

  5. Penguin Pete Says:

    That’s why I always pick a security question which has an unexpected response. For instance “What is your favorite sports team” - I actually hate sports, so I have a specific response that I use. Trying to hack it with a dictionary file of team names would yield nil.

    Thanks for the list!

  6. dc Says:

    see also awlg.org

  7. Larry Hosken Says:

    Fortunately, I was born in San Francisco, a city which didn’t make it into your file. My secrets are safe!

  8. duryodhan Says:

    Kyo: this might interest you http://research.microsoft.com/apps/pubs/default.aspx?id=79594

    The whole secret question thing is a huge problem imho as Sarah Palin showed

  9. duryodhan Says:

    Did you think about using http://en.wikipedia.org/wiki/List_of_cities,_towns,_and_villages_in_the_United_States ? I would have started with that .. but yeah .. using the GeoIP dbs is pretty smart :)

  10. GFCM Says:

    Well, you just made me think about making a list of first/last names.

    It would be a lot harder to do it, but facebook, myspace, and many others could give a pretty big list. Would it be too big? I don’t know..

    Btw.. in companies i worked with/for i saw the usage of cities, cars (brands/types/models) and (greek) gods for hardware devices, passwords for networking devices and etc. Maybe would be usefull to make a list (or a post :D) of what is also used.

  11. Spider Says:

    This is why I never give an actual city name to that question. I’d just assumed that it was easily crackable.

  12. Kyo Says:

    @duryodhan

    Funny, I was thinking about the Sarah Palin incident as well while writing my comment.

    I’ll check your link later, microsoft.com isn’t loading for me right now. Thanks for the tip anyhow.

  13. Amer Neely Says:

    Whenever I have to pick one of those security questions, I always choose an answer that is totally off-topic:
    What is your favourite colour: seven

  14. Micha J. Englisch Says:

    Mh..i had the same problem some time ago, but in german, so i created a similar list for germany. it can be found here:
    http://toa.st3r.de/stuff/de-cities.txt.bz2

  15. Andrew Says:

    Hi

    Thanks for the file but how do I open it?

    What app please?

    Thanks