Allow additional words to be added to the disallowed password dictionary

[Diane-Rose22]

Allow additional words to be added to the disallowed password dictionary

Problem

Per current NIST password recommendations, context specific passwords should be disallowed - for example the application name, the site URL, etc.

Solution

I would like a password requirements option to define additional words that are not allowed in passwords - where I could add my company name, my company website etc. These additional words could be checked against in the same way breached passwords are checked against when verifying a new password is valid.

Additional context

NIST recommendation - this is a subset of point 4, and an extension of ticket https://github.com/FusionAuth/fusionauth-issues/issues/2733:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

Passwords obtained from previous breach corpuses. Dictionary words. Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). Context-specific words, such as the name of the service, the username, and derivatives thereof.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/2733

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

Thanks for the suggestion @Diane-Rose22 . Unfortunately we have a full roadmap right now, but when we revisit this functionality, we'll review this issue.

[bbarman4u]

@mrudatsprint @mooreds Upvoting this issue as we would also like to have this functionality.