Check for common words in password strength indicators

Created on 23 March 2012, about 13 years ago
Updated 29 May 2025, 7 days ago

Problem/Motivation

Password cracking tools contain lists of commonly used passwords, we should warn users that some passwords are too weak to be of use. Motivation is that currently the password "password" is ranked as fair by the checker tool.

Proposed resolution

This patch integrates Drupal with a third party (MIT licensed) library for password strength checking. The library is zxcvbn.

Remaining tasks

  • Needs security team review
  • Needs signoff from someone to assert the inclusion of the new JS library into core - 680k (320k gzipped)

User interface changes

Password strength meter will reflect a better approximation of how long it would take to brute force the password, e.g. the following things will be checked:

  • English words, with a frequency list skewed toward American usage and spelling
  • Names and surnames, coming from the US census
  • A few common keyboard layout based passwords (eg QWERTY)
  • If the user's email address is used
  • If the user's email address name part is used
  • If the user's email address domain part is used
  • If the user's username is used

API changes

n/a

Related Issues

Original report by webkenny

So while at the code sprint today I noticed when you type the word, "password", as your password it marks that as "Fair" - Luckily I happened to be sitting with Jakub and greggles was in earshot so we thought maybe based on this report to the security team (See http://drupal.org/node/454014#comment-5743806), it might be worth checking for a list of common words.

📌 Task
Status

Needs work

Version

11.0 🔥

Component

user.module

Created by

🇺🇸United States webkenny

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
Production build 0.71.5 2024