Chris Hill-Scott 136662bd30 Stop people using very common passwords
If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```
2016-09-27 11:51:12 +01:00
2016-08-04 09:05:00 +01:00
2016-08-31 15:15:28 +01:00
2016-08-30 12:06:21 +01:00
2016-08-31 15:15:28 +01:00
2016-08-30 12:06:21 +01:00
2016-09-01 11:22:52 +01:00
2016-09-14 10:31:00 +01:00

Build Status Requirements Status Coverage Status

Deploy to staging Deploy to live

notifications-admin

GOV.UK Notify admin application.

Features of this application

  • Register and manage users
  • Create and manage services
  • Send batch emails and SMS by uploading a CSV
  • Show history of notifications

First-time setup

Brew is a package manager for OSX. The following command installs brew:

    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Languages needed

  • Python 3.4
  • Node 5.0.0 or greater
    brew install node

NPM is Node's package management tool. n is a tool for managing different versions of Node. The following installs n and uses the latest version of Node.

    npm install -g n
    n latest
    npm rebuild node-sass

The app runs within a virtual environment. We use mkvirtualenv for easier working with venvs

    pip install virtualenvwrapper
    mkvirtualenv -p /usr/local/bin/python3 notifications-admin

Install dependencies and build the frontend assets:

    workon notifications-admin
    ./scripts/bootstrap.sh

Rebuilding the frontend assets

If you want the front end assets to re-compile on changes, leave this running in a separate terminal from the app

    npm run watch

Create a local environment.sh file containing the following:

echo "
export NOTIFY_ENVIRONMENT='development'
export ADMIN_CLIENT_SECRET='notify-secret-key'
export API_HOST_NAME='http://localhost:6011'
export DANGEROUS_SALT='dev-notify-salt'
export SECRET_KEY='notify-secret-key'
export DESKPRO_API_HOST="some-host"
export DESKPRO_API_KEY="some-key"
"> environment.sh

AWS credentials

Your aws credentials should be stored in a folder located at ~/.aws. Follow Amazon's instructions for storing them correctly

Generate the application version file

    make generate-version-file

Running the application

    workon notifications-admin
    ./scripts/run_app.sh

Then visit localhost:6012

Description
The UI of Notify.gov
Readme 560 MiB
Languages
Python 69.3%
HTML 16.6%
JavaScript 11.1%
SCSS 0.9%
Nunjucks 0.7%
Other 1.4%