0

We all know the basics "password rules" when a user register on a website, such as:

  • more than 8 characters,
  • must contain an upper case letter,
  • must contain numbers and so on

Why don't websites filter (as in not accept) well-known weak passwords such as:

  • 123456
  • qwerty
  • password

What are the pros and cons of such a method and why is it not widely used?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mxsky
  • 193
  • 2
  • 12
  • 1
    New TRUSTe standards state that sites now must ban certain commonly used password words, like "password" and "123456" and repeating patterns, like "1111111" – schroeder May 02 '16 at 15:22

2 Answers2

1

It's not used widely because if you block 123456, users will use 1234567, you block qwerty they'll use qwertyu. Honestly, "The blacklist approach will be bypassed". And this makes the outcome minimal, to the extent that its not worth implementing.

The approach could be beneficial but when coupled with other types of policies like min-length, uppercase, digits, etc. And you see this type of policy in action when systems prevent you from using your last 'x' passwords or alert you that your password can't contain your username. (And a lot of weak passwords are blocked via length/complexity rules)

Silverfox
  • 3,369
  • 2
  • 19
  • 39
1

I once implemented something like this. The longest known words would be removed from the password before checking its length. So if you enter "test438" as a password, "test" is removed and "438" is obviously too short to be a password. This still allows for passwords that combine multiple known words.

Some people that had passwords like "Test1234" complained about the new system.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102