bad-passwords's Introduction

Bad Passwords

A list of the top 10,000 most-used passwords from hacked password lists.

Mutated list was generated by installing John the Ripper and running:

john --wordlist=raw.txt --rules --stdout > raw-mutated.txt

This produces a list which starts with the top 10,000 and makes commonplace alterations to that list. This increases the size of the list from 10,000 → over 422,000.

Requirements

Required

The following software is required for Bad Passwords to run:

PHP 5.3.0+

Installation

Bundle with Composer (recommended!)

To add Bad Passwords as a Composer dependency in your composer.json file:

{
    "require": {
        "skyzyx/bad-passwords": ">=1.0"
    }
}

And include it in your scripts:

require_once 'vendor/autoload.php';

Contributing

To view the list of existing contributors, run the following command from the Terminal:

git shortlog -sne --no-merges

How?

Here's the process for contributing:

Fork Bad Passwords to your GitHub account.
Clone your GitHub copy of the repository into your local workspace.
Write code, fix bugs, and add tests with 100% code coverage.
Commit your changes to your local workspace and push them up to your GitHub copy.
You submit a GitHub pull request with a description of what the change is.
The contribution is reviewed. Maybe there will be some banter back-and-forth in the comments.
If all goes well, your pull request will be accepted and your changes are merged in.

Authors, Copyright & Licensing

My intention is to release all rights to this documentation and make it available under the Public Domain. Unfortunately, in the U.S. it's not quite that cut-and-dry. So, I am dual-licensing this work under CC0 and the Unlicense. You can choose whichever license you would prefer to adhere to.

To the extent possible under law, Ryan Parman has waived all copyright and related or neighboring rights to "Bad Passwords". This work is published from: United States.

bad-passwords's People

Contributors

Stargazers

Watchers

bad-passwords's Issues

Can we tag this repo for stability? v1.0.0

30k downloads without a tag :(

Great stuff. Document a possible filter?

The CII Best Practices Badge program "BadgeApp" uses this - thank you!

You might want to modify your README to document how someone might use bad-passwords in other systems. The US NIST has proposed draft password rules in 2016. They recommend having a minimum of 8 characters in passwords and checking against a list of bad passwords - so this list of bad passwords is timely. Here's what we did - you might want to mention this somewhere in the documentation for others.

We don't need to store anything less than 8 characters (they will be forbidden anyway), and we only store lowercase versions (we check downcased versions). We compress it into a .gz file; it doesn't take long to read, and that greatly reduces the space we use when storing and and transmitting the program. Using the bad-passwords version dated "May 27 11:03:00 2016 -0700", starting with the "mutated" list, we end up with 106,251 forbidden passwords.

(cd .. && git clone https://github.com/skyzyx/bad-passwords )
cat ../bad-passwords/raw-mutated.txt | grep -E '^.{8}' | tr A-Z a-z | \
  sort -u > raw-bad-passwords-lowercase.txt
rm -f raw-bad-passwords-lowercase.txt.gz
gzip --best raw-bad-passwords-lowercase.txt

Recommend Projects

skyzyx / bad-passwords Goto Github PK