Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store and search list of 'Banned Passwords'

I'm working on a project where I need to have a set of password restrictions that includes a file of disallowed passwords (All the common passwords like 'abc','abcdef','12345' 'password' etc.) The file of passwords will consist of around 10000-15000 words.

Now I want to make sure that when a user sets/changes a password, it doesn't exist in the list. I was thinking of using a dictionary (or map) in Java (with buckets as 'A', 'B', 'C'.... 'Z','NUMBERS','SPECIAL_CHARS') so that I just check the first character and then search the corresponding bucket. But I'm not sure what kind of performance I can get out of this.

Any suggestions for working with a 'Banned Passwords' List.... Any other pointers to watch out for?

like image 793
navinpai Avatar asked Mar 08 '13 06:03

navinpai


People also ask

What is custom banned password list?

The custom banned password list can contain up to 1000 terms. The custom banned password list is case-insensitive. The custom banned password list considers common character substitution, such as "o" and "0", or "a" and "@". The minimum string length is four characters, and the maximum is 16 characters.

What is a blacklisted password?

Simply put, a password blacklist is a list of passwords that your users are prevented from using when they set their password. According to CyberNews, the top 10 most commonly used passwords are (drum roll, please): 123456. 123456789.

How Azure AD password protection helps in maintaining password hygiene?

Password protection for Azure Active Directory (Azure AD) detects and blocks known weak passwords and their variants, and other common terms specific to your organization. It also includes custom banned password lists and self-service password reset capabilities.


1 Answers

If you extend your approach of "one bucket per letter" to the complete string, you will end with a trie, which looks like a nice structure for this problem, though I can't see a reason for not using a single HashSet (after all, the verification cost is almost constant, and the hash set searches in the bucket where the password is supposed to be stored). Splitting the hash depending on the initial letter does not improve the performance in comparision with using a single set.

On the other hand, if your implementation is memory bounded, you could avoid storing some banned passwords and do a rule-guided verification (e.g. check if there are 4 consecutive characters that differ by one, as in "ghij", or check if they are fragments of a keyboard row, such as "yuiop"). Each rule will be equivalent to several banned passwords.

like image 179
Javier Avatar answered Sep 17 '22 09:09

Javier