mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-01 04:37:03 -04:00
If a user chooses a very common password then an attacker could guess it in relatively few attempts, circumventing the lockout. CESG recommend blacklisting the most common passwords: > …enforcing the requirement for complex character sets in passwords is > not recommended. Instead, concentrate efforts on technical controls, > especially: > > - defending against automated guessing attacks by either using account > lockout, throttling, or protective monitoring > - blacklisting the most common password choices How I made this list: - went to the OWASP repository of security lists: https://github.com/danielmiessler/SecLists - downloaded `10k_most_common.txt`, `twitter-banned.txt` and `500-worst-passwords.txt` - filtered out any under 8 characters: ``` sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt ``` - filtered out any duplicates: ``` cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt ```
1.7 KiB
1.7 KiB