Differential D8048

Add a common password blacklist
ClosedPublic
Actions

Authored by epriestley on Jan 23 2014, 8:56 PM.

Details

Reviewers

btrahan

Maniphest Tasks

T4143: Add a common password blacklist

Commits

Restricted Diffusion Commit
rP02aa193cb05e: Add a common password blacklist

Summary

Fixes T4143. This mitigates the "use a botnet to slowly try to login to every user account using the passwords '1234', 'password', 'asdfasdf', ..." attack, like the one that hit GitHub.

(I also donated some money to Openwall as a thanks for compiling this wordlist.)

Test Plan

Tried to register with a weak password; registered with a strong password.
Tried to set VCS password to a weak password; set VCS password to a strong password.
Tried to change password to a weak password; changed password to a strong password.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

epriestley added inline comments.Jan 23 2014, 8:58 PM

src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
75	A couple of users have been vaguely confused by this, I attempted to reword for clarity.

doctordance

The word list is very interesting... Nice call on the strtolower normalization I think.

externals/wordlist/password.lst
31	we had a problem at Harvard where a user assistant (the job Dustin and I had) told users who were having problems satisfying the password constraints to use this as their password... oy vey