It's becoming clear from account dumps from various websites that people have dissected over the years that people still have a bad tendency to use common passwords. Bugzilla should be able to support checking passwords against a list of commonly-used passwords and force the user to pick something else instead.
For some local (private or test) installations, this would be annoying. For sensitive installations, why not simply set the password_complexity parameter to letters_numbers_specialchars? I doubt there are common passwords which match this. My personal opinion is WONTFIX (especially because each language has its own set of "common" words).
Do we have hooks in place for a password complexity validator when setting a new password? This would be a good job for an extension (which wouldn't necessarily need to be done by upstream Bugzilla). We should probably make sure there's an appropriate hook or hooks to make it possible though.
Sure, I did not mean to imply that all Bugzilla installations would have this checking. Whether it's an extension or not doesn't matter to me, though having it upstream would be nice. It should definitely be an optional thing done on a per-Bugzilla instance, though.
a much easier solution for bmo is to set password_complexity to letters_numbers; filed bug 672150.
(In reply to comment #4) > a much easier solution for bmo is to set password_complexity to > letters_numbers; filed bug 672150. No, completely separate issue. Mozilla is doing this particular bug for all high-profile web properties.
as mozilla's infrasec team will be maintaining the list, this is really a bmo-specific extension; moving.
> Blacklisted passwords should be implemented (contact infrasec for the list) mcoates: can you please point us in the direction of the blacklist?
(In reply to comment #7) > > Blacklisted passwords should be implemented (contact infrasec for the list) > > mcoates: can you please point us in the direction of the blacklist? Sent via email.
Created attachment 546573 [details] blacklist after a quick change with mcoates, we'll use the passwords from http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time only 45 out of the top 500 will pass our minimum length requirement, attached.
Do we have a way to force people to change their password on first login if their password is valid but doesn't match the minimum requirements rather than forcing a password reset like it does currently? We've had multiple occasions since bumping it from 6 to 8 for the minimum length where people without access to the email address they signed up with get locked out because they couldn't get the reset email. Although on the other hand, I kinda have to say that's what they get for not changing their email address in Bugzilla. But then again, not everyone remembers everywhere they have their email address when they change it.