[openstreetmap/openstreetmap-website] block extremely simple and common passwords like "12345678" on a registration (#2285)

Mateusz Konieczny notifications at github.com
Sat Jun 29 08:03:37 UTC 2019

Currently registration form requires 8 characters (what is good) and has no massive set of requirements (minimum X of ABC, Y of FGH etc) what is also great.

But it would be useful to blacklist some of the most common and weakest passwords.

Example set of the most common passwords from https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495

password x19580
12345678 x13582
123456789 x11696
baseball x3565
football x3494
qwertyuiop x2860
1234567890 x2797
superman x2540
1qaz2wsx x2531
trustno1 x2213
jennifer x2155
sunshine x1901
iloveyou x1893
starwars x1718
computer x1688
michelle x1677
11111111 x1575
princess x1483
987654321 x1349
corvette x1327
1234qwer x1276
88888888 x1243
q1w2e3r4t5 x1201
internet x1196
samantha x1149
whatever x1139
maverick x1116
steelers x1058
mercedes x1050
123123123 x1016

(obviously in blocking a bit longer list may be used)

passwords = {}
File.foreach("10-million-combos.txt").each do |line|
    password = line.split[1]    
  rescue ArgumentError
  next if password.nil?
  next if password.length < 8

  passwords[password] ||= 0
  passwords[password] += 1

passwords.to_a.sort_by { |entry| -entry[1] }.each do |entry|
  password = entry[0]
  count = entry[1]
  next if count <= 1000

  puts "#{password} x#{count}"

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190629/12c72056/attachment.html>

More information about the rails-dev mailing list