mahara-contributors team mailing list archive

Thread
Date

[Bug 844457] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <844457@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Jan 2015 00:16:21 -0000
Reply-to: Bug 844457 <844457@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/4166
Committed: http://gitorious.org/mahara/mahara/commit/f166c23517fbec15cc1cd776bc8459fa72f72959
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit f166c23517fbec15cc1cd776bc8459fa72f72959
Author: Amelia Cordwell <amelia.stuffed@xxxxxxxxx>
Date:   Wed Jan 14 11:23:10 2015 +1300

Bug 844457 - suckypasswords array increase

I increased the list of bad passwords for user's new passwords to
be checked against using the lists, http://sharetext.org/BEM, and
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html .
While this is much better than the previous list st some point
it would probably be a good idea to change the way this works.

Change-Id: I1ca667fdd53729e2f05eb7e3e95622a7cfef7b31

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/844457

Title:
  suckypasswords check is very limited, could be expanded

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  When validating passwords, there is is a check against an array of really bad passwords:
  https://gitorious.org/mahara/mahara/blobs/f7d9a23f0744f719fc7f75bd5d740eef6ae4d055/htdocs/auth/lib.php#line1606

  Currently the collection of bad passwords is really small. It could be expanded. Some resources are:
  http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
  http://img.sjbn.co/files/500-most-used-passwords-show-as-a-tag-cloud.gif
  http://www.skullsecurity.org/wiki/index.php/Passwords

  There should be more than one level of filtering bad passwords. Some,
  such as the current suckypasswords collection, should be forced. There
  should also be an optional blacklist based on the resources above.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/844457/+subscriptions

References

[Bug 844457] [NEW] suckypasswords check is very limited, could be expanded
From: Melissa Draper, 2011-09-08