contentdb
contentdb copied to clipboard
minetest
Increase minimum password requirements
- Min length = 10
- Require some complexity - either more symbols or longer password
- Disallow 20k most common passwords (including "password")
Also check passwords on log in and redirect to change password form
I found this git page of up to 10 million common passwords you can reference, and have as small as 1000. I don't know too much python but I'm sure if you can try to reference the txt file to have it check through the list as they type each letter. Like with a simple if password in "list.txt" and make a popup saying the password is too common when they try to use it, then it should work.
I found this git page of up to 10 million common passwords you can reference, and have as small as 1000.
You could reduce this list to 0 passwords — the other 1000 passwords are 11 characters or shorter, and therefore already rejected by ContentDB. ;)
The top 100,000 has 489 passwords with at least 12 characters. They look indeed common, and include only a few “cat walked over keyboard”:
gfhfktkjuhfv
ktjynsq40147
41d8cd98f00b
lhbjkjubz2957704
The ContendDB server could brute force all users with these 489 passwords (or even the 44150 passwords from top 10,000,000), and then send a message to pwned users.
That is faster than to wait until they log in.
But do you think this makes anyone actually choose a better password, or will they just append a single character from [<>§,"°] to make the system shut up?
Yeah, I implemented support for checking from the X most common passwords - but ended up with 0 in the list due to the min password length requirement