What is NBP?

NIST Bad Passwords, or NBP, aims to help make the reuse of common passwords a thing of the past. With the release of Special Publication 800-63-3: Digital Authentication Guidelines, it is now recommended to blacklist common passwords from being used in account registrations.

NBP is intended for quick client-side validation of common passwords only. It is still advisable to check server side if the password is not common.

From Naked Security @ Sophos:

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

Demo

Your password is not common.

This demo uses SecList's 1,000,000 most common password list.

Usage

Using NBP is easy. Simply include the library in your registration page and place the collections folder in the same folder as the registration page. If you wish, you may specify a customs collections folder. Your folder structure should look like this:

The collections folder refers to the folder storing the compiled most common passwords. In default installations, is the folder containing mostcommon_*, i.e. mostcommon_100000

webroot/
├── css/
├── js/
|   ├── nbp/
|       ├── nbp.min.js
├── collections/
    ├── mostcommon_100000
    ├── ...
├── index.php
├── register.php
        

API Usage

Initalization

• Function signature



NBP.init([collection_name = "mostcommon_10000"] [, collection_folder_path = "collections/"] [, cache = true]);

• Example



NBP.init("mostcommon_100000", "register/nbpcollections/", true);

Check common password

• Function signature



NBP.isCommonPassword(password);

• Example



NBP.isCommonPassword('hunter2');

Password list sources

NBP comes with password lists sourced from SecLists by Daniel Miessler.

The inbuilt lists include:

• mostcommon_100
• mostcommon_500
• mostcommon_1000
• mostcommon_10000
• mostcommon_100000

Building your own password lists is as easy:

Your list should be in the following format, i.e. separated by new lines:

password1
password2
....
hunter2
        

Your list_out name must follow this format: [listname]_[list_count], i.e. my_custom_list_600

# Assuming pwd is git root

cd build_collection

node index.js raw_list_in list_out

mv list_out ../collections/.
        

Implementation details

NBP uses a bloom filter to store lists in a more compact format. The filter implementation can be found at cry/jsbloom.

LZString is used to compress raw bloom filter contents to UTF-16.

The bloom filter contents are cached in localStorage in order to avoid unnecessary downloads in order to improve user experience.