NIST Bad Passwords, or NBP, aims to help make the reuse of common passwords a thing of the past. With the release of Special Publication 800-63-3: Digital Authentication Guidelines, it is now recommended to blacklist common passwords from being used in account registrations.
NBP is intended for quick client-side validation of common passwords only. It is still advisable to check server side if the password is not common.
Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.
Using NBP is easy. Simply include the library in your registration page and place the collections folder in the same folder as the registration page. If you wish, you may specify a customs collections folder. Your folder structure should look like this:
The collections folder refers to the folder storing the compiled most common passwords. In default installations, is the folder containing mostcommon_*, i.e. mostcommon_100000
webroot/ ├── css/ ├── js/ | ├── nbp/ | ├── nbp.min.js ├── collections/ ├── mostcommon_100000 ├── ... ├── index.php ├── register.php
NBP.init([collection_name = "mostcommon_10000"] [, collection_folder_path = "collections/"] [, cache = true]);
NBP.init("mostcommon_100000", "register/nbpcollections/", true);
The inbuilt lists include:
Building your own password lists is as easy:
Your list should be in the following format, i.e. separated by new lines:
password1 password2 .... hunter2
Your list_out name must follow this format: [listname]_[list_count], i.e. my_custom_list_600
# Assuming pwd is git root cd build_collection node index.js raw_list_in list_out mv list_out ../collections/.
NBP uses a bloom filter to store lists in a more compact format. The filter implementation can be found at cry/jsbloom.
LZString is used to compress raw bloom filter contents to UTF-16.
The bloom filter contents are cached in localStorage in order to avoid unnecessary downloads in order to improve user experience.