Closed KamilaBorowska closed 5 years ago
You're right.
This needs changing so we have static lists of repetitive passwords and sequential passwords. We should then modify the existing RepetitiveCharacters
and SequentialCharacters
rules to simply check the password against these lists, similar to how the DictionaryWords
rule currently works.
This is being addressed in PR https://github.com/langleyfoxall/laravel-nist-password-rules/pull/22.
This is now fixed in v4.1.1.
According to NIST rules:
Those rules prevent consecutively repeated characters due to misunderstanding another requirement in NIST Password Guidelines.
This is about what such a list of known bad passwords may contain.
aaaaaa
is obviously a bad password, but say, something likeBg(=SRjSxxxx5[=thpmm?God)X~$i_[:(t44m=kF('waq7H}k8\r<]2Q]~>\($9zD<[G4Y5a,/="L`?{E]Af(;`jsk,mPk}*/y)kuZ:7ps\k{NqAb:Fx[AWL"%G92$Gk
I would argue isn't insecure, even ifx
happens to repeat four times.Specifically, the intent of the rule is that it should be a finite list of known insecure passwords, not a rule intending to find bad passwords (that can find an infinite number of "insecure" passwords).