When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
* Passwords obtained from previous breach corpuses.
* Dictionary words.
* Repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd').
* Context-specific words, such as the name of the service, the username, and derivatives thereof.
This is an initial approach for this requirement:
A trivial password is a password that wholly consists of one, two or three chunks where each chunk is one of this:
- A password from the list of 10,000 most common passwords, extended by "FOLIO", matching case insensitively: https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords
- A substring or the complete string of any of these sequential strings: 01234567890, 09876543210, abcdefghjiklmnopqrstuvwxyz
- A substring or the complete string of any of these keyboard sequences: qwertyuiop, poiuytrewq, qwertzuiop, poiuztrewq, asdfghjkl, lkjhgfdsa, zxcvbnm, mnbvcxz, yxcvbnm, mnbvcxy (qwerty is English, qwertz is German keyboard layout).
- A single character
- Two digits (number from 00-99)
- A year from 1900-2099
- A character repeated multiple times (like '$$$$$')
- aaaaaa is forbidden because it consists of one chunk of a repeated character
- 1234abcd is forbidden because it consists of the two chunks 1234 und abcd, each chunk is a sequential string
- foliopassword2020 is forbidden because it consists of three chunks: folio and password are from the frequently used passwords list, 2020 is a year.
- uvwxyqsdfghjkl is forbidden because it consists of three chunks: uvwxy is a sequential string, q is a single character, sdfghjkl is a keyboard sequence
- 12345abcde67890fghij is not forbidden by this rule because it consists of four chunks: 12345, abcde, 67890, fghij
How does this trivial password rule compare with the Pwned password list (
|Trivial password rule||"Have I Been Pwned?" password list|
|10,000 passwords (75 kB)||> 500,000,000 password (10 GB)|
|Free of charge||Free of charge, both download and online API|
|Can be enabled by default||Cannot be enabled by default (size, external API call to third party)|
|Tenant can extend list||Fixed list|
|Combines listed passwords and trivial sequences||Checks the complete password only|
Both are needed, they complement each other.