Add password blacklisting support (ability to disallow certain commonly-used passwords)

NEW
Unassigned

Status

()

bugzilla.mozilla.org
Extensions: Other
P5
enhancement
6 years ago
a year ago

People

(Reporter: reed, Unassigned)

Tracking

Production

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It's becoming clear from account dumps from various websites that people have dissected over the years that people still have a bad tendency to use common passwords. Bugzilla should be able to support checking passwords against a list of commonly-used passwords and force the user to pick something else instead.
(Reporter)

Updated

6 years ago
Whiteboard: [wanted-bmo]

Comment 1

6 years ago
For some local (private or test) installations, this would be annoying. For sensitive installations, why not simply set the password_complexity parameter to letters_numbers_specialchars? I doubt there are common passwords which match this. My personal opinion is WONTFIX (especially because each language has its own set of "common" words).
Whiteboard: [wanted-bmo] → [wanted-bmo] WONTFIX?
Do we have hooks in place for a password complexity validator when setting a new password?  This would be a good job for an extension (which wouldn't necessarily need to be done by upstream Bugzilla).  We should probably make sure there's an appropriate hook or hooks to make it possible though.
(Reporter)

Comment 3

6 years ago
Sure, I did not mean to imply that all Bugzilla installations would have this checking. Whether it's an extension or not doesn't matter to me, though having it upstream would be nice. It should definitely be an optional thing done on a per-Bugzilla instance, though.
a much easier solution for bmo is to set password_complexity to letters_numbers; filed bug 672150.
Whiteboard: [wanted-bmo] WONTFIX? → WONTFIX?
(Reporter)

Comment 5

6 years ago
(In reply to comment #4)
> a much easier solution for bmo is to set password_complexity to
> letters_numbers; filed bug 672150.

No, completely separate issue. Mozilla is doing this particular bug for all high-profile web properties.
Whiteboard: WONTFIX? → [wanted-bmo] WONTFIX?
as mozilla's infrasec team will be maintaining the list, this is really a bmo-specific extension; moving.
Assignee: user-accounts → nobody
Component: User Accounts → Extensions
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa → extensions
Whiteboard: [wanted-bmo] WONTFIX?
Version: 4.0.1 → Current
> Blacklisted passwords should be implemented (contact infrasec for the list) 

mcoates: can you please point us in the direction of the blacklist?
(In reply to comment #7)
> > Blacklisted passwords should be implemented (contact infrasec for the list) 
> 
> mcoates: can you please point us in the direction of the blacklist?

Sent via email.
Created attachment 546573 [details]
blacklist

after a quick change with mcoates, we'll use the passwords from http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

only 45 out of the top 500 will pass our minimum length requirement, attached.
Do we have a way to force people to change their password on first login if their password is valid but doesn't match the minimum requirements rather than forcing a password reset like it does currently?  We've had multiple occasions since bumping it from 6 to 8 for the minimum length where people without access to the email address they signed up with get locked out because they couldn't get the reset email.  Although on the other hand, I kinda have to say that's what they get for not changing their email address in Bugzilla.  But then again, not everyone remembers everywhere they have their email address when they change it.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.