Add password strength option #31
Conversation
There was a problem hiding this comment.
Password complexity requirements around mixing cases has generally proven to lead to less secure passwords and not more - the general suggestion today is to not do that. Instead, what we should do is to check password against a common list of passwords - such as https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt - and disallow that.
See https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ for more information, and a link to the NIST guidelines themselves.
|
Nice article @yuvipanda ! Thanks. I changed it check for size and that if it is too common |
e3fb956 to
7dfbefb
Compare
662b27a to
6e1027f
Compare
nativeauthenticator/handlers.py
Outdated
|
|
||
| result_message = 'Your information have been sent to the admin' | ||
| if not user: | ||
| result_message = """Something went wrong. Be sure your password |
There was a problem hiding this comment.
This length should be configurable
|
|
||
| from .common_credentials import COMMON_CREDENTIALS |
There was a problem hiding this comment.
Can you make this a .txt file instead of a .py file?
There was a problem hiding this comment.
I thought about this but I would have to everytime open a file, create a list and then search in the list. I thought that if I already had a list, it would be more efficient. What do you think?
There was a problem hiding this comment.
Hmm, can we read it once - on first use and cache it? As a static method maybe? This also means it isn't loaded into memory unless it is needed.
I try to avoid Python files where possible for pure data, since any mistakes there - especially in massive files - can execute arbitrary code.
There was a problem hiding this comment.
Not sure how to do this using cache. Could you give me an example?
There was a problem hiding this comment.
Sure! something like
common_passwords.py
COMMON_PASSWORDS = None
def is_password_common(password):
global COMMON_PASSWORDS
if COMMON_PASSWORDS == None:
with open("path-to-file") as f:
COMMON_PASSWORDS = f.readlines()
return password in COMMON_PASSWORDS
How does that sound?
|
@yuvipanda I just added a new pull request for docs only |
c9d64b7 to
ea07fdf
Compare
| if not self.COMMON_PASSWORDS: | ||
| with open(common_credentials_file) as f: | ||
| self.COMMON_PASSWORDS = f.read().splitlines() | ||
| return password.lower() in self.COMMON_PASSWORDS |
There was a problem hiding this comment.
Does COMMON_PASSWORDS only contain lowercase characters?
There was a problem hiding this comment.
Indeed, it doesn't. I removed this lower() method :)
| return password.lower() in self.COMMON_PASSWORDS | ||
|
|
||
| def is_password_strong(self, password): | ||
| checks = [ |
There was a problem hiding this comment.
I think these should be two config options:
disallow_common_passwords- Checks if password used is common. Default to Trueminimum_password_length- Only allow passwords longer than this. Can be set to 0 to disable length checking. Defaults to 8.
Also, when checking a constant number of variables like this, it's clearer to just use a boolean expression directly len(password) >= self.minimum_password_length and not self.is_common_password(password) than using all
Changed to add the NIST guidelines of size and avoid common passwords
nativeauthenticator/handlers.py
Outdated
| result_message = 'Your information have been sent to the admin' | ||
| if not user: | ||
| result_message = """Something went wrong. Be sure your password | ||
| has at least 8 characters and is not |
There was a problem hiding this comment.
This should refer to the actual configured length rather than be hardcoded to 8
5a56f14 to
c59ef08
Compare
Closes #22