Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add breached password references to section 2.1 #1071

Closed
jmanico opened this issue Oct 13, 2021 · 3 comments
Closed

Add breached password references to section 2.1 #1071

jmanico opened this issue Oct 13, 2021 · 3 comments
Assignees
@jmanico
Labels
6) PR awaiting review

Comments

@jmanico
Copy link
Member

jmanico commented Oct 13, 2021

Resources to consider:

https://github.com/danielmiessler/SecLists/tree/master/Passwords

https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere#:~:text=PwnedPasswordsTop100k.txt

cc: @cmlh
@jmanico jmanico self-assigned this Oct 13, 2021
@jmanico jmanico added the 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR label Oct 13, 2021
@cmlh cmlh mentioned this issue Oct 13, 2021
Closed
@tghosth
Copy link
Collaborator

tghosth commented Feb 23, 2022
edited
Loading

@jmanico the current requirement says (emphasis mine):

2.1.14 Verify that passwords submitted during account registration or password changes are checked against a set of breached username/password pairs. (C6)

The links above only include passwords and not usernames so I am not sure they are useful for this control. Or did we mean to use this in reference to the following requirement:

2.1.7 [MODIFIED, SPLIT TO 2.1.14] Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords.

@tghosth tghosth closed this as completed Feb 23, 2022
@tghosth tghosth reopened this Feb 23, 2022
@jmanico
Copy link
Member Author

jmanico commented Feb 23, 2022 via email

@tghosth tghosth mentioned this issue Feb 24, 2022
Merged
@tghosth tghosth added 6) PR awaiting review and removed 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR labels Feb 24, 2022
@tghosth
Copy link
Collaborator

tghosth commented Feb 24, 2022

@jmanico opened PR #1234

@tghosth tghosth closed this as completed Apr 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

Labels
6) PR awaiting review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmanico @tghosth