Password Complexity v2

Jun 14, 2016 php ux
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

Every year, they come out with a list of the top 20 most used passwords and it makes me wonder… how many users on any one of my websites are using those passwords?

So my first thought is to go the route of using password complexity meters - maybe check to see that there is one letter, one number, there is a special symbol, a capital letter, etc… You’ve seen these.

But, user’s HATE these.

And, when they’re picking a password, chances are this is one of the first times you’re interacting with them - so it should be nice and easy.

So instead of doing that normal password complexity calculation, I’ve decided to relax my rules a little bit. Instead, I’ve built a list based on the last few years of common passwords and will not allow a user to create a password with that. With all the computing power out there, if someone wants to guess a password, or hack one, it’s pretty easy. I just want to make sure that they don’t pick something that basically is so easy to guess anyone could type it in.

I’ve developed the following list that I test against when user’s are creating a password. If it matches any of these (or matches their email or username), I reject it and mention that they should pick a more secure password. Not perfect, but certainly a better experience than some password complexity indicators or restrictions - and I think gets me about 80% of the way there anyway.

test
pass
secret
god
testuser
admin
administrator
manager
demo
demouser
password
passw0rd
password1
password123
qwerty
test123
letmein
12345
123456
1234567
12345678
123456789
welcome
abc123
111111
1qaz2wsx
master
login
asdf
asdfasdf
Go to All Posts