stale[bot]
commented
8 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
Closed darkpixel closed 8 months ago
stale[bot]
commented
8 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
darkpixel
commented
8 months ago Zark off stalebot. There's no activity because the developers haven't responded yet.
ryannewington
commented
8 months ago Hi @darkpixel
There's some nuance to the way the banned word filter works.
It's designed to prevent the use of a password based on a simple word. Not to prevent the use of a word entirely in a password.
So we take the common brute-force techniques used by password cracking tools and apply those to the password as a whole.
So we don't want common, easy to predict patterns used for passwords. So in your doctor case, we avoid passwords derrived from the word doctor.
D0ctor1
Doctor123
but we don't prevent the use of the word doctor in a way that isn't recognized in a brute force pattern
My Favorite Doctor is Dr Jim
ihategoingtothedoctor
More information on the exact normalization process can be found here. https://docs.lithnet.io/password-protection/advanced-help/normalization-rules
darkpixel
commented
8 months ago Makes sense. Thanks @ryannewington!
It seems like normalized banned words is succeeding when it should be failing.
If I add 'doctor' and 'dental' to the list of banned words, the system totally accepts the words 'doctor' and 'dental', but will fail when 'd0ct0r' or 'd3nt@l' are used.
I've gone through the docs a few times, and it seems like this should cause the password change to fail.
Maybe I'm misunderstanding something?