Page MenuHomePhabricator
Create Task
Maniphest T4143

Add a common password blacklist
Closed, ResolvedPublic
Actions

Description

We currently require 8-character passwords by default, but should also add a default blacklist for "password", "phabricator", etc.

  1. Find some reasonable list(s) of common passwords.
  2. Put them in a file somewhere.
  3. Add anything we can think of that's Phabricator-related ("phabricator", "codereview").
  4. Add an default-on option to reject passwords on the blacklist. Or just do it without an option, I can't really imagine anyone wanting to turn this off.

Context: http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach

Revisions and Commits

rP Phabricator
D8048rP02aa193cb05e Add a common password blacklist

Event Timeline

epriestley created this task.Nov 21 2013, 9:51 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added a project: Security.
epriestley added subscribers: epriestley, chad, btrahan.
asherkin added a subscriber: asherkin.Nov 21 2013, 11:28 PM
epriestley added a subscriber: Korvin.Nov 25 2013, 10:00 PM

@Korvin found this page for the John the Ripper wordlists:

http://www.openwall.com/wordlists/

The short/free one looks perfect; I emailed the donations address to see if we can donate to support it. It's open, but has some quasi-commercial trappings and it feels like we're getting more pure value out of this than other sorts of externals.

epriestley edited this Maniphest Task.Jan 23 2014, 8:56 PM
epriestley edited this Maniphest Task.Jan 23 2014, 10:01 PM
epriestley closed this task as Resolved.Jan 23 2014, 10:01 PM

Closed by commit rP02aa193cb05e.

Phabricator · Built by Phacility