I found a list of common passwords (i.e. "123456", "password", etc.) online.
Is there a public / open-source set of common passwords where a password policy was in use?
Example of a commonly implemented password policy:
There are public password databases, but you'll have to download and filter them to your target set of requirements and/or use something like the Have I Been Pwned API to check for common passwords.
Let's take your example policy and calculate its entropy:
- At least 8 characters long
- At least 1 upper case letter
- At least 1 lower case letter
- At least 1 special character
To estimate entropy, I'll convert "at least" to mean "exactly", so we have 8 chars including 1 upper, 1 lower, and 1 special. There are 94 printable characters, 26 uppers, 26 lowers, and 32* specials, so the entropy is log₂(26×26×32×94⁵) = 47.2**. This would be worse if a digit is also required since there are only 10 digits (8c w/ upper, lower, special, and digit = 43.9 entropy).
*: There are 34 specials including space, tab, backslash, double-quote, and apostrophe. I assume two of those are prohibited.
**: I'm not concerned with password topology (character order) because it can be predictable .
I consider 60 to be an absolute minimum entropy requirement and I'm personally uncomfortable below 65. I've posted some password complexity vs crack time research here in the past if you want more information on that, but ten fully random characters has an entropy of 65.6 (crack time of 6 to 29 years), which sets that bar.
The only complexity standard that has universal agreement is that of length. If you want to add more complexity like the above bulleted list, you must add to the length each time. So if I'm saying 65 is a good bar, we want:
log₂(94ⁿ × 26 × 26 × 32) ≥ 65
94ⁿ × 26 × 26 × 32 ≥ 2⁶⁵
94ⁿ ≥ 2⁶⁵ / 26 / 26 / 32
n ≥ log₉₄(2⁶⁵ / 26 / 26 / 32)
n ≥ 7.7
ceiling(7.7 + 1 + 1 + 1) = 11
So to target entropy ≥ 65, you need eleven characters including one upper, one lower, and one special.
No database pruning needed, just use the API to securely look up the SHA-1 hash (or a range search by truncated SHA-1 hash for some more privacy; present the first five hash chars, get a list of matching pw hashes and search them locally for the 35 remaining chars).
If you get a dump of passwords, you can prune it to just those that meet your criteria. I recommend keeping the original list so you can regenerate your pruned list as you change your password requirements. The above requirement suggestion of 11+ character plus an upper, a lower, and a special character would be, in bash code:
grep -E '.{11}' password-list.txt \
|grep '[A-Z]' \
|grep '[a-z]' \
|grep '[^A-Za-z0-9]' \
> pruned-password-list.txt
You can also use a tool like hashcat or John the Ripper to regularly attempt to break users' passwords. Send them an email that your system has find it to be a weak password and give an ultimatum for when the account will be locked, requiring password recovery.
