ryannewington
commented
3 years ago Hi Everton,
The banned word checking is looking for simple, common, well known variations of words. It applies a normalization process and checks the normalized value against the banned word store.
So adding 'everton' to the banned word store would stop 3v3rt0n, but it would not stop "my name is everton", because after normalization, that would be checked against "mynameiseverton" which would not be found in the banned word store.
Regarding the policy to reject passwords that contain the users display name, well that would ban "my name is everton", but it would not ban an obfucated name like you demonstrated. This type of check splits the name by the spaces, and looks for whole segments of that name in the password.
I hope that helps clarify the logic here.
stale[bot]
PrzemyslawKlys
Hello there! First of all I want to thank you for making such a great tool.
I've identified a potential flaw in the policy "Reject passwords that contain the user's display name" mechanism or in the "Reject passwords found in the compromised password store". Here you can find how my policies are configured in a test environment:
I've added all of the words of my own name to the banned word store:
If I test the password "3ver+on 8runo 8ern@rdi" against my own username it gets approved as you can see in the image bellow:
Is this expected? If so is there a way I can deny a user from getting a password like this approved?
Best regards!
Everton