Details
-
Story
-
Status: Closed (View Workflow)
-
P3
-
Resolution: Won't Do
-
None
-
None
-
-
Vega
Description
NIST says:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
* Passwords obtained from previous breach corpuses.
* Dictionary words.
* Repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd').
* Context-specific words, such as the name of the service, the username, and derivatives thereof.
This is an initial approach for this requirement:
A trivial password is a password that wholly consists of one, two or three chunks where each chunk is one of this:
- A password from the list of 10,000 most common passwords, extended by "FOLIO", matching case insensitively: https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords
- A substring or the complete string of any of these sequential strings: 01234567890, 09876543210, abcdefghjiklmnopqrstuvwxyz
- A substring or the complete string of any of these keyboard sequences: qwertyuiop, poiuytrewq, qwertzuiop, poiuztrewq, asdfghjkl, lkjhgfdsa, zxcvbnm, mnbvcxz, yxcvbnm, mnbvcxy (qwerty is English, qwertz is German keyboard layout).
- A single character
- Two digits (number from 00-99)
- A year from 1900-2099
- A character repeated multiple times (like '$$$$$')
Examples:
- aaaaaa is forbidden because it consists of one chunk of a repeated character
- 1234abcd is forbidden because it consists of the two chunks 1234 und abcd, each chunk is a sequential string
- foliopassword2020 is forbidden because it consists of three chunks: folio and password are from the frequently used passwords list, 2020 is a year.
- uvwxyqsdfghjkl is forbidden because it consists of three chunks: uvwxy is a sequential string, q is a single character, sdfghjkl is a keyboard sequence
- 12345abcde67890fghij is not forbidden by this rule because it consists of four chunks: 12345, abcde, 67890, fghij
How does this trivial password rule compare with the Pwned password list (MODLOGIN-34)?
| Trivial password rule | "Have I Been Pwned?" password list |
|---|---|
| 10,000 passwords (75 kB) | > 500,000,000 password (10 GB) |
| Free of charge | Free of charge, both download and online API |
| Can be enabled by default | Cannot be enabled by default (size, external API call to third party) |
| Tenant can extend list | Fixed list |
| Combines listed passwords and trivial sequences | Checks the complete password only |
Both are needed, they complement each other.
TestRail: Results
Attachments
Issue Links
- is required by
-
UXPROD-2305 Q2 2020 | Local Password Management Updates
-
- Closed
-
- relates to
-
MODPWD-32
Do not use password complexity requirements
-
- Closed
-
-
MODPWD-35
Drop keyboard sequence and repeating symbols password substring requirements. And update white space character password rule
-
- Closed
-
-
STSMACOM-338
Handle error message for a new password validation rule
-
- Closed
-
-
MODPWD-51
Implement a bad password list(s)
-
- Closed
-