suckypasswords check is very limited, could be expanded

Bug #844457 reported by Melissa Draper on 2011-09-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Wishlist
Amelia Cordwell

Bug Description

When validating passwords, there is is a check against an array of really bad passwords:
https://gitorious.org/mahara/mahara/blobs/f7d9a23f0744f719fc7f75bd5d740eef6ae4d055/htdocs/auth/lib.php#line1606

Currently the collection of bad passwords is really small. It could be expanded. Some resources are:
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
http://img.sjbn.co/files/500-most-used-passwords-show-as-a-tag-cloud.gif
http://www.skullsecurity.org/wiki/index.php/Passwords

There should be more than one level of filtering bad passwords. Some, such as the current suckypasswords collection, should be forced. There should also be an optional blacklist based on the resources above.

Melissa Draper (melissa) on 2011-09-08
Changed in mahara:
importance: Undecided → Wishlist
François Marier (fmarier) wrote :

http://sharetext.org/BEM is another good list (the one that Twitter used to use I think)

Changed in mahara:
status: New → Triaged
tags: added: passwords security
tags: removed: security
tags: added: academy security
Changed in mahara:
assignee: nobody → Amelia Cordwell (amelia-stuffed)
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/4166

Changed in mahara:
status: Triaged → Fix Committed
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/4171

Reviewed: https://reviews.mahara.org/4166
Committed: http://gitorious.org/mahara/mahara/commit/f166c23517fbec15cc1cd776bc8459fa72f72959
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit f166c23517fbec15cc1cd776bc8459fa72f72959
Author: Amelia Cordwell <email address hidden>
Date: Wed Jan 14 11:23:10 2015 +1300

Bug 844457 - suckypasswords array increase

I increased the list of bad passwords for user's new passwords to
be checked against using the lists, http://sharetext.org/BEM, and
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html .
While this is much better than the previous list st some point
it would probably be a good idea to change the way this works.

Change-Id: I1ca667fdd53729e2f05eb7e3e95622a7cfef7b31

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/4194

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/4200

Reviewed: https://reviews.mahara.org/4200
Committed: http://gitorious.org/mahara/mahara/commit/b8eac89f37683c9aaf319bff7033daeda253fdd3
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit b8eac89f37683c9aaf319bff7033daeda253fdd3
Author: Amelia Cordwell <email address hidden>
Date: Tue Jan 20 09:06:58 2015 +1300

Behat test for suckypasswords (Bug 844457)

Change-Id: If28d4ad59d4bff9fedbb4e24c19975adb60ad1c3

Robert Lyon (robertl-9) on 2015-02-11
Changed in mahara:
milestone: none → 15.04.0
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
tags: added: behat has-behat
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers