On Sun, 1 Dec 2024 at 19:20, Radoslaw Skorupka < [email protected]> wrote:
> W dniu 01.12.2024 o 09:29, Tony Harminc pisze: > > On Thu, 28 Nov 2024 at 10:48, Radoslaw Skorupka < > > [email protected]> wrote: > [...] > >> So, we need a list of common password to > >> reject them. Now the most important: WHO CREATES THE LIST? And how often > >> it is updated? > > > > https://haveibeenpwned.com/ > > > > Contains a downloadable list, an API to the online list, a simple web > > interface to test your password, and perhaps most important, a good > > explanation of why it's safe to test your password using their API. > > > https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity > [...] > No. > None of the lists above is *official* list to use. > Can I use unofficial? Great! Colleague of mine will publish a list of > passwords. Yes, it will be published. As the above. > Less popular? Who measure it? Is it a criterium? > No. So I can use *any* list I want. > And even then the update process is not even touched. > I don't think I'm getting your point. I mentioned only the one list. I suggest that you actually read some of the background and recommendations on the two related sites above. Yes, you can download the list (hashed - not plaintext, and if you want to waste a lot of CPU time on dehashing it, he is fine with that), but it's probably better and easier to check it online using the API. As I said earlier, and as is well explained on the site, you will not be contributing each password proposed by your users to the list. You want an "official" list, but who would provide such a thing? Your employer? Some local government agency? Will it be plain text or hashes? What would be "better" about any such official list than what is probably the biggest list of pwned passwords on the planet? It does get updated, but not on some arbitrary schedule, but rather when there is a significant data breach from which new passwords are available. The API will check against the most recent version. Almost certainly most "bad" passwords are already on the list, e.g. if you search for "Password123" it will tell you that it has been found 86194 times in data breaches. Even "correct horse battery staple" from https://xkcd.com/936 has been seen 62 times. The list, combined with a minimum length requirement - probably 12 or so, is imho about as good as it gets. He (Troy Hunt, owner/publisher of the two sites above) does mention right on the main page that NIST (the most likely agency worldwide to issue anything "official" in this area) has a guideline to check against exactly such a list; indeed it is the NIST recommendation https://www.nist.gov/itl/tig/special-publication-800-63-3 that prompted him to build the list and the infrastructure to make it useful. (Yes, we know that NIST was subverted by the NSA over crypto algorithms https://harvardnsj.org/2022/06/07/dueling-over-dual_ec_drgb-the-consequences-of-corrupting-a-cryptographic-standardization-process , but it seems to me unlikely that guidance about avoiding pwned passwords would be subject to the same kind of subversion.) Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
