strugee / password-requirements-dataset Goto Github PK

Dataset of what websites impose insecure password limits, or crash on strong passwords

License: Creative Commons Zero v1.0 Universal

dataset password-safety database security-dataset json-data json json-schema insecurity password-strength hacktoberfest

password-requirements-dataset's Introduction

Password requirements dataset

This repository contains a database of password limits that different websites impose. The major focus is on limits that are arbitrary, indicate some underlying insecure design, or prevent the usage of strong passwords (e.g. because strong passwords crash the website).

Goals

This the overarching, ambitious goal of this project is to improve the state of internet password security by doing two things:

Helping users pick the strongest passwords they are allowed to for websites
Enabling public shaming of websites that don't get this right

Eventually it would be awesome if this data was used by password managers to generate even stronger passwords, without having to make conservative choices for broad compatibility. But the data included is designed to be flexible and detailed enough to enable all sorts of applications that haven't even been thought of yet.

Usage

Each entry in the dataset is represented in a JSON file in the data/ directory. Copyright is waived on this data (see "License" below), so you are welcome to do whatever you want with it. That being said, if you build tooling around this dataset - for example, to load it into a SQLite database so it can be efficiently queried, or a hall of shame page for websites with bad password practices - you are highly encouraged to submit either your tool itself or a link to your tool in a Pull Request.

More information on the format of each entry is forthcoming. In the meantime, you can use the (mostly-complete) JSON Schema in schema.json as a reference point.

`meta.json`

meta.json contains meta-information about the dataset. Currently it has only one key, schema-version, which will be increased every time the schema is updated in a backwards-incompatible way. It will not be changed if backwards-compatible additions are made.

Note that the addition of new enum values is not considered backwards-incompatible. Therefore, you should expect to handle the following:

Unknown properties
Unknown issue_name values
Unknown issue type values
Unknown issue source values (and therefore, unknown additional_sources values)

For most applications, it would probably be sensible to ignore anything you don't understand.

Author

AJ Jordan [email protected]

License

To the extent possible under law, AJ Jordan has waived all copyright and related or neighboring rights to Password requirements dataset. This work is published from: United States.

password-requirements-dataset's People

Contributors

Stargazers

Watchers

Forkers

shelvacu mccarthydanielle

Your password must have between 8 and 70 characters.

This error pops up. There's more listed initially.

Passwords may not be greater than 16 characters in length.

From the registration flow.

The password must have at least 8 but no more than 12 characters. It must contain upper case and lower case alphabetic characters, and at least one number or symbol.

-- https://www.e-zpassny.com/vector/account/signup/Settings.do

,v@d!GC-[sLp_%<XV}qt<Zs}m=?~+!$Np!u)A+tF%S'B>@wY;|kb}n#ZRyq}%Co>2Q{=/'O'1wa\JtvN./3Ci#8t=gn_m<3_Qf84&}"qrH`a[Hm/"0+PYKdOs~]}Z_d"
mGLca7v!y@3YjurPqEBoD@Tk#WkDjrm#2yL7jXpg*JKf5AN@YKkXn7Tr4LrcQ35JKqs6M

are all invalid passwords. From the forgot password flow:

Passwords should be at least 10 characters long and include 1 uppercase and 1 lowercase alpha character, 1 number and 1 special character. Passwords are case sensitive.

AFAICT there is a hidden 64-character password limit.

Add trustmineral.com

Stitch Data

From the invitation onboarding form:

Password must be at least 8 characters and include 3 out of 4 of the following: a lower-case letter, an upper-case letter, a number, a special character (such as ! $ % @ # ^ * or &).