1

I found a list of common passwords (i.e. "123456", "password", etc.) online.

Is there a public / open-source set of common passwords where a password policy was in use?

Example of a commonly implemented password policy:

  • At least 8 characters long
  • At least 1 upper case letter
  • At least 1 lower case letter
  • At least 1 special character
AleksanderCH
  • 721
  • 4
  • 11
  • 23
  • 3
    You can create a filter very easy with regex to filter a wordlist... – ThoriumBR Aug 20 '21 at 12:59
  • I'm not sure what you are asking for. Or why you want it. You want leaked passwords and want to know what the technical password policy was for the set of passwords? Any password set from a single source will have a very obvious policy pattern. – schroeder Aug 20 '21 at 13:00
  • Well not neccessarily leaked passwords, but in theory that would work as well. I have created a filter to my previous list of common passwords, but I thought that maybe such a list already exists. – AleksanderCH Aug 20 '21 at 13:10
  • "not neccessarily leaked passwords" -- then what are you looking for? I'm very confused. – schroeder Aug 20 '21 at 13:15
  • You mean, what are the common passwords that people create when forced to create one based on various restrictions? – schroeder Aug 20 '21 at 13:16
  • Yes, exactly, a list of common passwords when people are forced to follow a password policy. – AleksanderCH Aug 20 '21 at 13:21

1 Answers1

2

There are public password databases, but you'll have to download and filter them to your target set of requirements and/or use something like the Have I Been Pwned API to check for common passwords.

Arriving at a good set of requirements

Let's take your example policy and calculate its entropy:

  • At least 8 characters long
  • At least 1 upper case letter
  • At least 1 lower case letter
  • At least 1 special character

To estimate entropy, I'll convert "at least" to mean "exactly", so we have 8 chars including 1 upper, 1 lower, and 1 special. There are 94 printable characters, 26 uppers, 26 lowers, and 32* specials, so the entropy is log₂(26×26×32×94⁵) = 47.2**. This would be worse if a digit is also required since there are only 10 digits (8c w/ upper, lower, special, and digit = 43.9 entropy).

*: There are 34 specials including space, tab, backslash, double-quote, and apostrophe. I assume two of those are prohibited.
**: I'm not concerned with password topology (character order) because it can be predictable .

I consider 60 to be an absolute minimum entropy requirement and I'm personally uncomfortable below 65. I've posted some password complexity vs crack time research here in the past if you want more information on that, but ten fully random characters has an entropy of 65.6 (crack time of 6 to 29 years), which sets that bar.

The only complexity standard that has universal agreement is that of length. If you want to add more complexity like the above bulleted list, you must add to the length each time. So if I'm saying 65 is a good bar, we want:

log₂(94ⁿ × 26 × 26 × 32) ≥ 65
94ⁿ × 26 × 26 × 32 ≥ 2⁶⁵
94ⁿ ≥ 2⁶⁵ / 26 / 26 / 32
n ≥ log₉₄(2⁶⁵ / 26 / 26 / 32)
n ≥ 7.7
ceiling(7.7 + 1 + 1 + 1) = 11

So to target entropy ≥ 65, you need eleven characters including one upper, one lower, and one special.

Checking passwords online

No database pruning needed, just use the API to securely look up the SHA-1 hash (or a range search by truncated SHA-1 hash for some more privacy; present the first five hash chars, get a list of matching pw hashes and search them locally for the 35 remaining chars).

Checking passwords offline (db)

If you get a dump of passwords, you can prune it to just those that meet your criteria. I recommend keeping the original list so you can regenerate your pruned list as you change your password requirements. The above requirement suggestion of 11+ character plus an upper, a lower, and a special character would be, in bash code:

grep -E '.{11}' password-list.txt \
 |grep '[A-Z]' \
 |grep '[a-z]' \
 |grep '[^A-Za-z0-9]' \
 > pruned-password-list.txt

Checking passwords offline (cracker)

You can also use a tool like hashcat or John the Ripper to regularly attempt to break users' passwords. Send them an email that your system has find it to be a weak password and give an ultimatum for when the account will be locked, requiring password recovery.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48