revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-03-03 07:59:15 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/constants/PhabricatorCommonPasswords.php
epriestley 02aa193cb0 Add a common password blacklist 
Summary:
Fixes T4143. This mitigates the "use a botnet to slowly try to login to every user account using the passwords '1234', 'password', 'asdfasdf', ..." attack, like the one that hit GitHub.

(I also donated some money to Openwall as a thanks for compiling this wordlist.)

Test Plan:
  - Tried to register with a weak password; registered with a strong password.
  - Tried to set VCS password to a weak password; set VCS password to a strong password.
  - Tried to change password to a weak password; changed password to a strong password.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, chad

Maniphest Tasks: T4143

Differential Revision: https://secure.phabricator.com/D8048
2014-01-23 14:01:18 -08:00

70 lines
1.7 KiB
PHP
Raw Blame History

<?php
/**
* Check if a password is extremely common. Preventing use of the most common
* passwords is an attempt to mitigate slow botnet attacks against an entire
* userbase. See T4143 for discussion.
*
* @task common Checking Common Passwords
*/
final class PhabricatorCommonPasswords extends Phobject {
/* -( Checking Common Passwords )------------------------------------------ */
/**
* Check if a password is extremely common.
*
* @param string Password to test.
* @return bool True if the password is pathologically weak.
*
* @task common
*/
public static function isCommonPassword($password) {
static $list;
if ($list === null) {
$list = self::loadWordlist();
}
return isset($list[strtolower($password)]);
}
/**
* Load the common password wordlist.
*
* @return map<string, bool> Map of common passwords.
*
* @task common
*/
private static function loadWordlist() {
$root = dirname(phutil_get_library_root('phabricator'));
$file = $root.'/externals/wordlist/password.lst';
$data = Filesystem::readFile($file);
$words = phutil_split_lines($data, $retain_endings = false);
$map = array();
foreach ($words as $key => $word) {
// The wordlist file has some comments at the top, strip those out.
if (preg_match('/^#!comment:/', $word)) {
continue;
}
$map[strtolower($word)] = true;
}
// Add in some application-specific passwords.
$map += array(
'phabricator' => true,
'phab' => true,
'devtools' => true,
'differential' => true,
'codereview' => true,
'review' => true,
);
return $map;
}
}
View git blame Copy permalink