Mahara

suckypasswords check is very limited, could be expanded

Bug #844457 reported by Melissa Draper on 2011-09-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Wishlist	Amelia Cordwell	Mahara 15.04.0

Bug Description

When validating passwords, there is is a check against an array of really bad passwords:
https://gitorious.org/mahara/mahara/blobs/f7d9a23f0744f719fc7f75bd5d740eef6ae4d055/htdocs/auth/lib.php#line1606

Currently the collection of bad passwords is really small. It could be expanded. Some resources are:
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
http://img.sjbn.co/files/500-most-used-passwords-show-as-a-tag-cloud.gif
http://www.skullsecurity.org/wiki/index.php/Passwords

There should be more than one level of filtering bad passwords. Some, such as the current suckypasswords collection, should be forced. There should also be an optional blacklist based on the resources above.

Tags:

Melissa Draper (melissa) on 2011-09-08

Changed in mahara:
importance:	Undecided → Wishlist

Revision history for this message

François Marier (fmarier) wrote on 2011-09-08:

http://sharetext.org/BEM is another good list (the one that Twitter used to use I think)

Changed in mahara:
status:	New → Triaged

François Marier (fmarier) on 2011-11-23

tags:	added: passwords security
tags:	removed: security

Hugh Davenport (hugh-davenport) on 2015-01-11

tags:

added: academy security

Amelia Cordwell (ameliacordwell) on 2015-01-13

Changed in mahara:
assignee:	nobody → Amelia Cordwell (amelia-stuffed)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-13:

Patch for "master" branch: https://reviews.mahara.org/4166

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-13: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4167

Amelia Cordwell (ameliacordwell) on 2015-01-13

Changed in mahara:
status:	Triaged → Fix Committed

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-13:

Patch for "master" branch: https://reviews.mahara.org/4171

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-14: A change has been merged

Reviewed: https://reviews.mahara.org/4166
Committed: http://gitorious.org/mahara/mahara/commit/f166c23517fbec15cc1cd776bc8459fa72f72959
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit f166c23517fbec15cc1cd776bc8459fa72f72959
Author: Amelia Cordwell <email address hidden>
Date: Wed Jan 14 11:23:10 2015 +1300

Bug 844457 - suckypasswords array increase

I increased the list of bad passwords for user's new passwords to
be checked against using the lists, http://sharetext.org/BEM, and
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html .
While this is much better than the previous list st some point
it would probably be a good idea to change the way this works.

Change-Id: I1ca667fdd53729e2f05eb7e3e95622a7cfef7b31

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-15: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4193

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-15:

Patch for "master" branch: https://reviews.mahara.org/4194

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-01-19:

Patch for "master" branch: https://reviews.mahara.org/4200

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-02-11: A change has been merged