NIST Bad Passwords

Common password validation made easy.

View the Project on GitHub cry/nbp

What is NBP?

NIST Bad Passwords, or NBP, aims to help make the reuse of common passwords a thing of the past. With the release of Special Publication 800-63-3: Digital Authentication Guidelines, it is now recommended to blacklist common passwords from being used in account registrations.

NBP is intended for quick client-side validation of common passwords only. It is still advisable to check server side if the password is not common.

From Naked Security @ Sophos:

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.


Your password is not common.

This demo uses SecList's 1,000,000 most common password list.


Using NBP is easy. Simply include the library in your registration page and place the collections folder in the same folder as the registration page. If you wish, you may specify a customs collections folder. Your folder structure should look like this:

The collections folder refers to the folder storing the compiled most common passwords. In default installations, is the folder containing mostcommon_*, i.e. mostcommon_100000

├── css/
├── js/
|   ├── nbp/
|       ├── nbp.min.js
├── collections/
    ├── mostcommon_100000
    ├── ...
├── index.php
├── register.php

API Usage


Check common password

Password list sources

NBP comes with password lists sourced from SecLists by Daniel Miessler.

The inbuilt lists include:

Building your own password lists is as easy:

Your list should be in the following format, i.e. separated by new lines:


Your list_out name must follow this format: [listname]_[list_count], i.e. my_custom_list_600

# Assuming pwd is git root

cd build_collection

node index.js raw_list_in list_out

mv list_out ../collections/.

Implementation details

NBP uses a bloom filter to store lists in a more compact format. The filter implementation can be found at cry/jsbloom.

LZString is used to compress raw bloom filter contents to UTF-16.

The bloom filter contents are cached in localStorage in order to avoid unnecessary downloads in order to improve user experience.