Between Adobe and Gawker analyses, we ought to be able to simply add a list of common passwords that should be blacklisted (e.g. 123456) regardless of how the policy is configured.

CommentFileSizeAuthor
#6 blacklist-2134997-6.patch3.44 KBaohrvetpv
#5 blacklist-2134997-5.patch3.39 KBaohrvetpv
#2 2134997.patch2.36 KBsjpatrick

Comments

erikwebb’s picture

erikwebb commented
Version: 7.x-1.x-dev » 7.x-2.x-dev

All new feature requests should be assigned to 7.x-2.x.

sjpatrick’s picture

sjpatrick commented
StatusFileSize
new 2134997.patch2.36 KB

Attached is an attempt I've made to provide this added feature, developed against the 7.x-2.x branch.

aohrvetpv’s picture

aohrvetpv commented

Glad to see a patch for this feature. We implemented this in-house for 7.x-1.x, but never generalized it enough to submit. Very much want to see it added.

Suggested improvements:
1. Separate blacklisted passwords by lines instead of commas. Doing so would allow copying in common password-cracking wordlists, which are typically separated by lines. Also, it is maybe possible someone would want to blacklist a password containing a comma.
2. Case-insensitive matching. You don't want to have to list every case permutation. For example, password, Password, PaSsWoRd, etc.
3. Option to disallow passwords containing the blacklisted word, instead of exactly matching. For example, "password1", "password123", and "password2014" are just about as bad as "password".
4. Option to specify external text files with blacklisted words. This way you could easily blacklist passwords from multiple password-cracking wordlists.

Will actually test the patch and try to implement some of these.

aohrvetpv’s picture

aohrvetpv commented

Is there ever an instance where you would want matching to be case sensitive? I'm thinking it should just be case insensitive by default. If you don't want someone to use "iloveyou", you probably don't want them to use "ILoveYou".

aohrvetpv’s picture

aohrvetpv commented
Status: Active » Needs review
StatusFileSize
new blacklist-2134997-5.patch3.39 KB

- Implemented #1 and #2 from comment 3.
- Added SimpleTest tests.
- Changed description. Blacklisted passwords can be application specific and are not necessarily common.
- Made some language more consistent with other constraints.
- Renamed "blacklist_list" to "blacklist". "blacklist_list" is redundant.

I did not add an option to disallow passwords containing blacklisted passwords. That can be added later, as an enhancement.

aohrvetpv’s picture

aohrvetpv commented
StatusFileSize
new blacklist-2134997-6.patch3.44 KB

Changed to remove blank lines from blacklist.

aohrvetpv’s picture

aohrvetpv commented

I do not think there would be value in enabling this constraint in the current default 'Example policy'. The existing default constraints already disallow most really common passwords like '123456' and 'password'.

There may be value in adding this to the default policy if #3 in comment 3 were implemented.

deekayen’s picture

deekayen commented
Version: 7.x-2.x-dev » 7.x-1.x-dev
Status: Needs review » Patch (to be ported)
aohrvetpv’s picture

aohrvetpv commented

I did not add an option to disallow passwords containing blacklisted passwords. That can be added later, as an enhancement.

#2466301: Option to disallow passwords containing blacklisted passwords