Open
Bug 672130
Opened 13 years ago
Updated 5 years ago
Add password blacklisting support (ability to disallow certain commonly-used passwords)
Categories
(bugzilla.mozilla.org :: Extensions, enhancement, P5)
Tracking
()
NEW
People
(Reporter: reed, Unassigned)
References
()
Details
Attachments
(1 file)
|
405 bytes,
text/plain
|
Details |
It's becoming clear from account dumps from various websites that people have dissected over the years that people still have a bad tendency to use common passwords. Bugzilla should be able to support checking passwords against a list of commonly-used passwords and force the user to pick something else instead.
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [wanted-bmo]
|
||
Comment 1•13 years ago
|
||
For some local (private or test) installations, this would be annoying. For sensitive installations, why not simply set the password_complexity parameter to letters_numbers_specialchars? I doubt there are common passwords which match this. My personal opinion is WONTFIX (especially because each language has its own set of "common" words).
Whiteboard: [wanted-bmo] → [wanted-bmo] WONTFIX?
|
||
Comment 2•13 years ago
|
||
Do we have hooks in place for a password complexity validator when setting a new password? This would be a good job for an extension (which wouldn't necessarily need to be done by upstream Bugzilla). We should probably make sure there's an appropriate hook or hooks to make it possible though.
|
|
Reporter | |
Comment 3•13 years ago
|
||
Sure, I did not mean to imply that all Bugzilla installations would have this checking. Whether it's an extension or not doesn't matter to me, though having it upstream would be nice. It should definitely be an optional thing done on a per-Bugzilla instance, though.
a much easier solution for bmo is to set password_complexity to letters_numbers; filed bug 672150.
Whiteboard: [wanted-bmo] WONTFIX? → WONTFIX?
|
|
Reporter | |
Comment 5•13 years ago
|
||
(In reply to comment #4) > a much easier solution for bmo is to set password_complexity to > letters_numbers; filed bug 672150. No, completely separate issue. Mozilla is doing this particular bug for all high-profile web properties.
Whiteboard: WONTFIX? → [wanted-bmo] WONTFIX?
as mozilla's infrasec team will be maintaining the list, this is really a bmo-specific extension; moving.
Assignee: user-accounts → nobody
Component: User Accounts → Extensions
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa → extensions
Whiteboard: [wanted-bmo] WONTFIX?
Version: 4.0.1 → Current
> Blacklisted passwords should be implemented (contact infrasec for the list)
mcoates: can you please point us in the direction of the blacklist?
|
||
Comment 8•13 years ago
|
||
(In reply to comment #7) > > Blacklisted passwords should be implemented (contact infrasec for the list) > > mcoates: can you please point us in the direction of the blacklist? Sent via email.
after a quick change with mcoates, we'll use the passwords from http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time only 45 out of the top 500 will pass our minimum length requirement, attached.
|
|
||
Comment 10•13 years ago
|
||
Do we have a way to force people to change their password on first login if their password is valid but doesn't match the minimum requirements rather than forcing a password reset like it does currently? We've had multiple occasions since bumping it from 6 to 8 for the minimum length where people without access to the email address they signed up with get locked out because they couldn't get the reset email. Although on the other hand, I kinda have to say that's what they get for not changing their email address in Bugzilla. But then again, not everyone remembers everywhere they have their email address when they change it.
|
||
Updated•8 years ago
|
Priority: -- → P5
|
||
Updated•5 years ago
|
Component: Extensions: Other → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•