Uploaded image for project: 'mod-password-validator'
  1. mod-password-validator
  2. MODPWD-34

Trivial password rule



    • Vega


      NIST says:

      When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

      * Passwords obtained from previous breach corpuses.

      * Dictionary words.

      * Repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd').

      * Context-specific words, such as the name of the service, the username, and derivatives thereof.

      This is an initial approach for this requirement:

      A trivial password is a password that wholly consists of one, two or three chunks where each chunk is one of this:

      • A password from the list of 10,000 most common passwords, extended by "FOLIO", matching case insensitively: https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords
      • A substring or the complete string of any of these sequential strings: 01234567890, 09876543210, abcdefghjiklmnopqrstuvwxyz
      • A substring or the complete string of any of these keyboard sequences: qwertyuiop, poiuytrewq, qwertzuiop, poiuztrewq, asdfghjkl, lkjhgfdsa, zxcvbnm, mnbvcxz, yxcvbnm, mnbvcxy (qwerty is English, qwertz is German keyboard layout).
      • A single character
      • Two digits (number from 00-99)
      • A year from 1900-2099
      • A character repeated multiple times (like '$$$$$')


      • aaaaaa is forbidden because it consists of one chunk of a repeated character
      • 1234abcd is forbidden because it consists of the two chunks 1234 und abcd, each chunk is a sequential string
      • foliopassword2020 is forbidden because it consists of three chunks: folio and password are from the frequently used passwords list, 2020 is a year.
      • uvwxyqsdfghjkl is forbidden because it consists of three chunks: uvwxy is a sequential string, q is a single character, sdfghjkl is a keyboard sequence
      • 12345abcde67890fghij is not forbidden by this rule because it consists of four chunks: 12345, abcde, 67890, fghij

      How does this trivial password rule compare with the Pwned password list (MODLOGIN-34)?

      Trivial password rule "Have I Been Pwned?" password list
      10,000 passwords (75 kB) > 500,000,000 password (10 GB)
      Free of charge Free of charge, both download and online API
      Can be enabled by default Cannot be enabled by default (size, external API call to third party)
      Tenant can extend list Fixed list
      Combines listed passwords and trivial sequences Checks the complete password only

      Both are needed, they complement each other.

      TestRail: Results


          Issue Links



                Unassigned Unassigned
                julianladisch Julian Ladisch
                0 Vote for this issue
                4 Start watching this issue



                  TestRail: Runs

                    TestRail: Cases