Files
notifications-admin/app/main/validators.py
Chris Hill-Scott 136662bd30 Stop people using very common passwords
If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```
2016-09-27 11:51:12 +01:00

1.7 KiB