[openstreetmap/openstreetmap-website] block extremely simple and common passwords like "12345678" on a registration (#2285)

[Mateusz Konieczny]

Currently registration form requires 8 characters (what is good) and has no massive set of requirements (minimum X of ABC, Y of FGH etc) what is also great.

But it would be useful to blacklist some of the most common and weakest passwords.

Example set of the most common passwords from https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495

```
password x19580
12345678 x13582
123456789 x11696
baseball x3565
football x3494
qwertyuiop x2860
1234567890 x2797
superman x2540
1qaz2wsx x2531
trustno1 x2213
jennifer x2155
sunshine x1901
iloveyou x1893
starwars x1718
computer x1688
michelle x1677
11111111 x1575
princess x1483
987654321 x1349
corvette x1327
1234qwer x1276
88888888 x1243
q1w2e3r4t5 x1201
internet x1196
samantha x1149
whatever x1139
maverick x1116
steelers x1058
mercedes x1050
123123123 x1016
```

(obviously in blocking a bit longer list may be used)

```
passwords = {}
File.foreach("10-million-combos.txt").each do |line|
  begin
    password = line.split[1]    
  rescue ArgumentError
    next
  end
  next if password.nil?
  next if password.length < 8

  passwords[password] ||= 0
  passwords[password] += 1
end

passwords.to_a.sort_by { |entry| -entry[1] }.each do |entry|
  password = entry[0]
  count = entry[1]
  next if count <= 1000

  puts "#{password} x#{count}"
end
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2285
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190629/12c72056/attachment.html>