GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → northox → stupid-password

northox / stupid-password

Licence: BSD-3-Clause license
A library to prevent the use of easily guessed/bruteforced password and an alternative to Cracklib

Programming Languages

PHP
23972 projects - #3 most used programming language

Labels

password

Projects that are alternatives of or similar to stupid-password

ComPP
Company Passwords Profiler (aka ComPP) helps making a bruteforce wordlist for a targeted company.
Stars: ✭ 44 (+76%)
Mutual labels:  password
cracken
a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust
Stars: ✭ 192 (+668%)
Mutual labels:  password
ad-password-self-service
基于Python 3.8 + Django 3.2的密码自助平台,AD用户自助修改密码,结合<钉钉>/<企业微信>扫码验证信息后用户可自行重置密码、解锁自己的账号。
Stars: ✭ 76 (+204%)
Mutual labels:  password
mopass
A OpenSource Clientless & Serverless Password Manager
Stars: ✭ 40 (+60%)
Mutual labels:  password
jekyll-password-protect
Password protect Jekyll posts (formerly jekyll-firewall)
Stars: ✭ 60 (+140%)
Mutual labels:  password
ios-application
A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
Stars: ✭ 581 (+2224%)
Mutual labels:  password
pwl
Password Lense: reveal character types in a password
Stars: ✭ 20 (-20%)
Mutual labels:  password
IMAPLoginTester
A simple Python script that reads a text file with lots of e-mails and passwords, and tries to check if those credentials are valid by trying to login on IMAP servers.
Stars: ✭ 47 (+88%)
Mutual labels:  password
react-native-passmeter
Simple password strength meter for React Native.
Stars: ✭ 46 (+84%)
Mutual labels:  password
checkforce.js
💪 A library that helps to perform tasks to test strength of passwords
Stars: ✭ 18 (-28%)
Mutual labels:  password
password-list
Password lists with top passwords to optimize bruteforce attacks
Stars: ✭ 174 (+596%)
Mutual labels:  password
OutlookPasswordRecovery
This tool usable for recover Outlook passwords and it working with all versions. I tested with 2007, 2010, 2013 and 2016.
Stars: ✭ 14 (-44%)
Mutual labels:  password
leaked-password
Leaked password check library with bloom filter
Stars: ✭ 41 (+64%)
Mutual labels:  password
moac
Generate passwords and analyze their strength given physical limits to computation
Stars: ✭ 16 (-36%)
Mutual labels:  password
react-login-registration
An example React / Redux / Redux Saga application talking to a Symfony 3 API
Stars: ✭ 31 (+24%)
Mutual labels:  password
password-hasher
The PasswordHasher component provides password hashing utilities.
Stars: ✭ 425 (+1600%)
Mutual labels:  password
jquery.pwstrength
A jQuery plugin to indicate the strength of passwords
Stars: ✭ 22 (-12%)
Mutual labels:  password
DictGenerate
使用Go语言编写的社工字典生成器(The social engineering dictionary generator written by Go)
Stars: ✭ 64 (+156%)
Mutual labels:  password
flutter-password-strength
A password strength checker for flutter.
Stars: ✭ 18 (-28%)
Mutual labels:  password
precis i18n
Python3 implementation of PRECIS framework (RFC 8264, RFC 8265, RFC 8266)
Stars: ✭ 16 (-36%)
Mutual labels:  password
View All Similar Projects ➔

Overview

StupidPass.class.php provides a simple way of preventing user from using easy to guess/bruteforce password. It has been develop to get rid of the crack-lib PHP extension.

Description

StupidPass.class.php is a PHP library that provides simple, yet pretty effective password validation rules.

The library implements 1337 speaking extrapolation. This converts the supplied password into an exhaustive list of possible simple alterations, such as changing the letter a to @ or 4, which is bordly used by end user to meet complexity rules. The complete list of alterations can be found below. This list is then compared against common passwords based on researcs done on the latest password database breaches (linkedin, stratfor, sony, phpbb, rockyou, myspace). Additionally, it validates the length and use of multiple charsets (uppsercase, lowercase, numeric, special) - the later drastically reducing the size of the common password list.

Here's the requirements:

  • ensure the length is at least 8 characters; AND
  • ensure is contains 4 charsets (i.e. uppercase, lowercase, numeric and special characters); AND
  • if environmental context is supplied, the list must not match the environmental context (regex) (e.g. the name of the company, the name of the application, the name of the site, the username, etc); AND
  • the list must not match with the supplied dictionary which is based on common weak passwords obtained by analysing the latest compromised password databases (stratfor, sony, phpbb, myspace, etc).

Additionally:

  • Online attacks should be mitigated by implementing anti-bruteforce techniques;
  • Offline attacks should be mitigated by using strong hashing algorithm such as PBKDF2.

Some maths

The minimum possible combination provided by stupid password is: lowercase + uppercase + numeric + special = (26 + 26 + 10 + 10)^8 = 72^8 = 7.222041363×10¹⁴

n.b. I consider only 10 possibilities for special characters as most users only use what's on top of the numbers (from a keyboard perspective).

If you consider loosing up the requirements, be advised that removing the numeric OR special charset (62^8 = 2.183401056×10¹⁴) is better than using 7 character passwords (72^7 = 1.0030613×10¹³) with all charsets.

1337 speak conversion table

@ => a, o  
4 => a
8 => b
3 => e
1 => i, l
! => i, l, 1
0 => o
$ => s, 5
5 => s
6 => b, d
7 => t

Usage

Simplest possible usage looks like this:

use StupidPass;
$simplePass = new StupidPass();
$bool = $simplePass->validate($PasswordToTest);

The most complex usage scenario could look like this:

// Override the default errors messages
$hardlang = array(
  'length'      => 'Password must be between %s and %s characters inclusively',
  'upper'       => 'Password must contain at least one uppercase character',
  'lower'       => 'Password must contain at least one lowercase character',
  'numeric'     => 'Password must contain at least one numeric character',
  'special'     => 'Password must contain at least one special character',
  'common'      => 'Password is too common',
  'environ'     => 'Password uses identifiable information and is guessable',
  'onlyNumeric' => 'Password must not be entirely numeric'
);

// Supply reference of the environment (company, hostname, username, etc)
$environmental = array('northox', 'github', 'stupidpass', 'stupidpassword');

// Additional options
$options = array(
  'disable' => array('special'),
);

// The first parameter is the max length
use StupidPass;
$stupidPass = new StupidPass(40, $environmental, './StupidPass.default.dict', $hardlang, $options);
if($stupidPass->validate($PasswordToTest) === false) {
  print('Your password is weak:<br \>');
  foreach($stupidPass->getErrors() as $error) {
    print($error . '<br />');
  }
}

Possible options:

  • 'disable' (array): disable stated tests, e.g. array('special', 'lower') to disable both the test for special and lowercase characters.
  • 'maxlen-guessable-test' (integer): disable environment and common password checks for passwords longer than given integer (due to high memory usage and cpu usage). Default: 24.

Please be advised that the minimum length requirement of 8 is hard-coded and can not be changed.

PHP Unit Tests

$ ./vendor/bin/phpunit tests/Tests/StupidPassTest.php
PHPUnit 3.7.38 by Sebastian Bergmann.

.......................

Time: 43 ms, Memory: 4.00MB

OK (23 tests, 45 assertions)

License

BSD license. In other words, it's free software, almost free as in free beer.

Source

https://github.com/northox/stupid-password

Authors

Danny Fullerton - Mantor Organization

Contributors

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].