webpp icon indicating copy to clipboard operation
webpp copied to clipboard
verified publisher icon the-moisrex

Most-Used Password Database

Open the-moisrex opened this issue 10 months ago • 2 comments

We need a database of most used passwords in the framework without needing the import a huge password list file which may be gigabytes of data.

We need that in algorithmic way or something really small.

The goal is to reject passwords that are common, but we don't want to waste too much storage on it.

the-moisrex avatar Feb 16 '25 05:02 the-moisrex

one suggestion that I had: Use a Bloom filter for top 1K common passwords + lightweight algo checks (i.e: keyboard patterns, sequences). Hybrid approach catches exact matches AND weak variants (like 'qwer' or '1234') with minimal storage.

SC-One avatar Apr 26 '25 03:04 SC-One

one suggestion that I had: Use a Bloom filter for top 1K common passwords + lightweight algo checks (i.e: keyboard patterns, sequences). Hybrid approach catches exact matches AND weak variants (like 'qwer' or '1234') with minimal storage.

These are some good ideas.

I guess what we need is multiple solutions.

  • One for keyboard layouts (which would help find qwerty and 123s)
  • One that takes a password list (possibly at compile time) and creates tries or Bloom filter or table lookups or something along those lines.
  • We also need password list generator of some sort that its result would be fed back into the previous solution. This would be needed for the devs to create their own password list based on their name of their website and other things like that.
  • We may need Unicode's algorithms like case folding and normalization to pre-process the password before checking them.
  • We can also use common words tables, but I'm not sure how. People are gonna use common words in their passwords, should we block them?
  • We also need common trivial restrictions as well like limiting the length and what not.
  • We also need a way to mix these solutions for the devs; it's a good idea if the ands and ors would be consteval.
const string_view password = ...;
const auto my_list = generate_password_list(...);

// all of these would be invocables that take a password, and return a bool
// and we can use minimal logical operators on them to mix them (for convenience) (consteval??).
const bool is_good = (limit_length(3, 100) & my_list & (common_passwords | somethingelse))(password);

if (!is_good) {
 // reject
}

the-moisrex avatar Apr 26 '25 11:04 the-moisrex