A more useful list of common passwords?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

A more useful list of common passwords?

Brenton Cleeland-2
Three years ago Django introduced the CommonPasswordValidator and included a list of 1,000 passwords considered to be "common". That list was based on leaked passwords and came from xato.net[1].

I'd like to update the list to

a) be from a more reliable / recent source
b) be larger and more in line with the NIST recommendations

Security researcher Troy Hunt has published a massive list of leaked passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of which are available in a gist from Royce Williams[3], including the frequency, md5 hash and plain text password.

Interestingly there's 27 passwords in the Django list that aren't in the HIBP list. I'd post them here but they're mostly short and not safe for work.

I've created a ticket for the increase in size[4] but wanted to check in and make sure this is something django-developers thinks is valuable.

Cheers,
Brenton

[1]: https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/#.Wr3H1chxV25
[2]: https://haveibeenpwned.com/Passwords
[3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
[4]: https://code.djangoproject.com/ticket/29274

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Curtis Maloney-2
What sort of performance impact is this having over the existing list?

What's the additional memory load, if any?

--
Curtis


On 03/30/2018 04:24 PM, Brenton Cleeland wrote:

> Three years ago Django introduced the CommonPasswordValidator and
> included a list of 1,000 passwords considered to be "common". That list
> was based on leaked passwords and came from xato.net[1].
>
> I'd like to update the list to
>
> a) be from a more reliable / recent source
> b) be larger and more in line with the NIST recommendations
>
> Security researcher Troy Hunt has published a massive list of leaked
> passwords, including frequencies on Have I Been Pwned[2]. The top 20,000
> of which are available in a gist from Royce Williams[3], including the
> frequency, md5 hash and plain text password.
>
> Interestingly there's 27 passwords in the Django list that aren't in the
> HIBP list. I'd post them here but they're mostly short and not safe for
> work.
>
> I've created a ticket for the increase in size[4] but wanted to check in
> and make sure this is something django-developers thinks is valuable.
>
> Cheers,
> Brenton
>
> [1]:
> https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/#.Wr3H1chxV25
> [2]: https://haveibeenpwned.com/Passwords
> [3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
> [4]: https://code.djangoproject.com/ticket/29274
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email]
> <mailto:[hidden email]>.
> To post to this group, send email to [hidden email]
> <mailto:[hidden email]>.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com 
> <https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5565c4fd-5de3-dc52-c952-5ad4b555bac0%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Curtis Maloney-2
By which I mean... hi Brenton! Great to see you being active again :)

It's great you've taken the time to do this, and the benefits are very
clear [improved security], but what are the costs?

Whilst you're at it, what is the new file size?

--
Curtis



On 03/30/2018 04:26 PM, Curtis Maloney wrote:

> What sort of performance impact is this having over the existing list?
>
> What's the additional memory load, if any?
>
> --
> Curtis
>
>
> On 03/30/2018 04:24 PM, Brenton Cleeland wrote:
>> Three years ago Django introduced the CommonPasswordValidator and
>> included a list of 1,000 passwords considered to be "common". That
>> list was based on leaked passwords and came from xato.net[1].
>>
>> I'd like to update the list to
>>
>> a) be from a more reliable / recent source
>> b) be larger and more in line with the NIST recommendations
>>
>> Security researcher Troy Hunt has published a massive list of leaked
>> passwords, including frequencies on Have I Been Pwned[2]. The top
>> 20,000 of which are available in a gist from Royce Williams[3],
>> including the frequency, md5 hash and plain text password.
>>
>> Interestingly there's 27 passwords in the Django list that aren't in
>> the HIBP list. I'd post them here but they're mostly short and not
>> safe for work.
>>
>> I've created a ticket for the increase in size[4] but wanted to check
>> in and make sure this is something django-developers thinks is valuable.
>>
>> Cheers,
>> Brenton
>>
>> [1]:
>> https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/#.Wr3H1chxV25 
>>
>> [2]: https://haveibeenpwned.com/Passwords
>> [3]:
>> https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
>> [4]: https://code.djangoproject.com/ticket/29274
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to [hidden email]
>> <mailto:[hidden email]>.
>> To post to this group, send email to
>> [hidden email]
>> <mailto:[hidden email]>.
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com 
>> <https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>
>> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Brenton Cleeland-2
Heya, Curtis!

The gzipped file size of the new file is 82K. That's with all 19,999 passwords from Royce's list.

I threw together a quick test that compares the default list to the new larger one by checking 10,000 random passwords. Speed difference is negligible, with both varying between 0.8–1.1 seconds on my machine.

Memory usage on the other hand is definitely higher. With the current Django list of 1,000 passwords memory usage increases by 0.1MiB. With the new list it's 0.9-1.0MiB. This would be expected, since the list if 20x the size. To put it into context, the project that I can that test on (a fresh project using the standard template) was already using 30MiB to run the management command.

You can see the full output of the memory test here:
https://gist.github.com/sesh/c431b8cc6b5063e31f08b2a4dc3b46f0

I think the trade-off of a little extra memory is worth it. If you really want to save memory you can (should?) disable the common password validator or provide your own shorter list anyway.

On 30 March 2018 at 16:31, Curtis Maloney <[hidden email]> wrote:
By which I mean... hi Brenton! Great to see you being active again :)

It's great you've taken the time to do this, and the benefits are very clear [improved security], but what are the costs?

Whilst you're at it, what is the new file size?

--
Curtis




On 03/30/2018 04:26 PM, Curtis Maloney wrote:
What sort of performance impact is this having over the existing list?

What's the additional memory load, if any?

--
Curtis


On 03/30/2018 04:24 PM, Brenton Cleeland wrote:
Three years ago Django introduced the CommonPasswordValidator and included a list of 1,000 passwords considered to be "common". That list was based on leaked passwords and came from xato.net[1].

I'd like to update the list to

a) be from a more reliable / recent source
b) be larger and more in line with the NIST recommendations

Security researcher Troy Hunt has published a massive list of leaked passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of which are available in a gist from Royce Williams[3], including the frequency, md5 hash and plain text password.

Interestingly there's 27 passwords in the Django list that aren't in the HIBP list. I'd post them here but they're mostly short and not safe for work.

I've created a ticket for the increase in size[4] but wanted to check in and make sure this is something django-developers thinks is valuable.

Cheers,
Brenton

[1]: https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/#.Wr3H1chxV25
[2]: https://haveibeenpwned.com/Passwords
[3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
[4]: https://code.djangoproject.com/ticket/29274

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email] <mailto:[hidden email]>.
To post to this group, send email to [hidden email] <mailto:[hidden email]>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to a topic in the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net.

For more options, visit https://groups.google.com/d/optout.



--
Cheers,
Brenton

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAC_Rtmu6CAyzMyRGvR1H_3aBKyYnqemf0_GTuVkdyJJWBx7XBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Adam Johnson-2
In reply to this post by Curtis Maloney-2
This new file sounds good to me.

Whilst you're at it, what is the new file size?

I downloaded the gist, took only column 3 (the actual passwords) and gzipped it, it came to 81K over the existing 3.8K. Uncompressed that's 163K over 7.1K.

It would probably warrant a smarter checking algorithm over the current one, where the validator loads the whole file into memory on initialization (and doesn't share it between instances).

OOI have you seen https://github.com/ubernostrum/pwned-passwords-django/ , which uses Troy Hunt's massive API for all leaked passwords ?

On 30 March 2018 at 06:31, Curtis Maloney <[hidden email]> wrote:
By which I mean... hi Brenton! Great to see you being active again :)

It's great you've taken the time to do this, and the benefits are very clear [improved security], but what are the costs?

Whilst you're at it, what is the new file size?

--
Curtis




On 03/30/2018 04:26 PM, Curtis Maloney wrote:
What sort of performance impact is this having over the existing list?

What's the additional memory load, if any?

--
Curtis


On 03/30/2018 04:24 PM, Brenton Cleeland wrote:
Three years ago Django introduced the CommonPasswordValidator and included a list of 1,000 passwords considered to be "common". That list was based on leaked passwords and came from xato.net[1].

I'd like to update the list to

a) be from a more reliable / recent source
b) be larger and more in line with the NIST recommendations

Security researcher Troy Hunt has published a massive list of leaked passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of which are available in a gist from Royce Williams[3], including the frequency, md5 hash and plain text password.

Interestingly there's 27 passwords in the Django list that aren't in the HIBP list. I'd post them here but they're mostly short and not safe for work.

I've created a ticket for the increase in size[4] but wanted to check in and make sure this is something django-developers thinks is valuable.

Cheers,
Brenton

[1]: https://web.archive.org/web/20150315154609/https://xato.net/passwords/more-top-worst-passwords/#.Wr3H1chxV25
[2]: https://haveibeenpwned.com/Passwords
[3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
[4]: https://code.djangoproject.com/ticket/29274

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email] <mailto:[hidden email]>.
To post to this group, send email to [hidden email] <mailto:[hidden email]>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net.

For more options, visit https://groups.google.com/d/optout.



--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM2m38bOn_4gOdGkHpXK5wEuJf0i%2Bj74JvJLJyJmrQwoFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Curtis Maloney-2
On 03/30/2018 07:05 PM, Adam Johnson wrote:
> This new file sounds good to me.
>
>     Whilst you're at it, what is the new file size?
>
>
> I downloaded the gist, took only column 3 (the actual passwords) and
> gzipped it, it came to 81K over the existing 3.8K. Uncompressed that's
> 163K over 7.1K.

Still a tiny drop compared to a running system... but something worth
keeping an eye on.

A quick look at the code shows, of course, that you can specify your own
file, so IFF this new file is rejected, it can at least be easily
offered and used.

> It would probably warrant a smarter checking algorithm over the current
> one, where the validator loads the whole file into memory on
> initialization (and doesn't share it between instances).

The current solution is storing the strings in a set, so membership of
strings in a set _should_ be fairly efficient.

--
Curtis

> OOI have you seen https://github.com/ubernostrum/pwned-passwords-django/ 
> , which uses Troy Hunt's massive API for all leaked passwords ?

The joy of pluggable validators is... people can choose their level of
strictness :)

--
C

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa76a554-41be-191f-3c8f-914aadf16af4%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Jessica F
In reply to this post by Brenton Cleeland-2

Hello! I'm Jessica, the assignee to this ticket. I am speaking on behalf of a group of newbies contributing to open source projects.
I was looking at the list of 20k passwords by Royce Williams, and there were 40 that were something like "$HEX[d0bfd197d5]". When I parsed them, nothing legible came out of it. I was wondering if this was an error on the list or was it intentional?


--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Brenton Cleeland-2
Hi Jessica (& team!),

My immediate thought is that those rows are errors. They should be ignored and not included in any list added to Django :)

On 11 April 2018 at 02:13, Jessica F <[hidden email]> wrote:

Hello! I'm Jessica, the assignee to this ticket. I am speaking on behalf of a group of newbies contributing to open source projects.
I was looking at the list of 20k passwords by Royce Williams, and there were 40 that were something like "$HEX[d0bfd197d5]". When I parsed them, nothing legible came out of it. I was wondering if this was an error on the list or was it intentional?


--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Cheers,
Brenton

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAC_RtmsVGCO0KK4nBn%2Ba3tRU-9G5nkfD5g%3DjR-z_xhxad29hxg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Jessica F
I see. Thank you very much!

Cheers,
Jessica

On Tuesday, April 10, 2018 at 5:59:20 PM UTC-4, Brenton Cleeland wrote:
Hi Jessica (& team!),

My immediate thought is that those rows are errors. They should be ignored and not included in any list added to Django :)

On 11 April 2018 at 02:13, Jessica F <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jf2...@...> wrote:

Hello! I'm Jessica, the assignee to this ticket. I am speaking on behalf of a group of newbies contributing to open source projects.
I was looking at the list of 20k passwords by Royce Williams, and there were 40 that were something like "$HEX[d0bfd197d5]". When I parsed them, nothing legible came out of it. I was wondering if this was an error on the list or was it intentional?


--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com.

For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Cheers,
Brenton

<a href="https://brntn.me" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbrntn.me\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGO9Nxj5KB-FjgPY9ihRvqXqAX3_A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbrntn.me\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGO9Nxj5KB-FjgPY9ihRvqXqAX3_A&#39;;return true;">https://brntn.me // <a href="https://twitter.com/sesh" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com%2Fsesh\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHKjhWLOd8OyV_kZs8NKxcPqjnUUA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com%2Fsesh\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHKjhWLOd8OyV_kZs8NKxcPqjnUUA&#39;;return true;">@sesh

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/6035be19-ac76-467e-a0ed-ee8684e3c9ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Kelly-2
In reply to this post by Brenton Cleeland-2
Hello!

I am Kelly, a member of the group working on ticket #29274. We really appreciate your help thus far!

We have successfully replaced the list of passwords and ran the unit tests with ./runtests.py.

When looking at the CommonPasswordValidatorTest(TestCase) class found in https://github.com/django/django/blob/2cb6b7732dc7b172797cebb1e8f19be2de89e264/tests/auth_tests/test_validators.py, we noticed that only a few strings are being tested, namely 'godzilla' and 'a-safe-password'.

As we make our pull request, we were wondering if we should include more specific units tests to test the validator.

Cheers,

Kelly

On Tuesday, April 10, 2018 at 5:59:20 PM UTC-4, Brenton Cleeland wrote:
Hi Jessica (& team!),

My immediate thought is that those rows are errors. They should be ignored and not included in any list added to Django :)

On 11 April 2018 at 02:13, Jessica F <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jf2...@...> wrote:

Hello! I'm Jessica, the assignee to this ticket. I am speaking on behalf of a group of newbies contributing to open source projects.
I was looking at the list of 20k passwords by Royce Williams, and there were 40 that were something like "$HEX[d0bfd197d5]". When I parsed them, nothing legible came out of it. I was wondering if this was an error on the list or was it intentional?


--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/django-developers/oMWLVK5kTpI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="WtOJqHxyBwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/a8043ddf-5147-44ba-b34a-85cb1596b7b8%40googlegroups.com.

For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Cheers,
Brenton

<a href="https://brntn.me" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbrntn.me\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGO9Nxj5KB-FjgPY9ihRvqXqAX3_A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbrntn.me\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGO9Nxj5KB-FjgPY9ihRvqXqAX3_A&#39;;return true;">https://brntn.me // <a href="https://twitter.com/sesh" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com%2Fsesh\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHKjhWLOd8OyV_kZs8NKxcPqjnUUA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com%2Fsesh\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHKjhWLOd8OyV_kZs8NKxcPqjnUUA&#39;;return true;">@sesh

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/85293a9c-408d-4bd8-ab8e-2b7304c4441e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

James Bennett
One approach you might try is on every test run, randomly select some lines from the list of common passwords and verify they fail the validator. That way we know it's not just testing a single, fixed, contrived case.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg8v%2Bojm0iB1PBLMU8zvDnQt%3DwunTerAH_fQje%3DU97E2fA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: A more useful list of common passwords?

Kelly-2
Thank you for your quick reply! We will try that.

Cheers,

Kelly

On Friday, April 13, 2018 at 5:33:24 PM UTC-4, James Bennett wrote:
One approach you might try is on every test run, randomly select some lines from the list of common passwords and verify they fail the validator. That way we know it's not just testing a single, fixed, contrived case.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/096148a6-64ef-4c03-aedc-6287479272a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.