kanidm/kanidm_book/src/password_quality.md

# Password Quality and Badlisting

Kanidm embeds a set of tools to help your users use and create strong passwords. This is important as not all user types will require MFA for their roles, but compromised accounts still pose a risk. There may also be deployment or other barriers to a site rolling out site wide MFA.

## Quality Checking

Kanidm enforces that all passwords are checked by the library "[zxcvbn](https://github.com/dropbox/zxcvbn)". This has a large number of checks for password quality. It also provides constructive feedback to users on how to improve their passwords if it was rejected.

Some things that zxcvbn looks for is use of the account name or email in the password, common passwords, low entropy passwords, dates, reverse words and more.

This library can not be disabled - all passwords in Kanidm must pass this check.

## Password Badlisting

This is the process of configuring a list of passwords to exclude from being able to be used. This is especially useful if a specific business has been notified of a compromised account, allowing you to maintain a list of customised excluded passwords.

The other value to this feature is being able to badlist common passwords that zxcvbn does not detect, or from other large scale password compromises.

By default we ship with a preconfigured badlist that is updated overtime as new password breach lists are made available.

## Updating your own badlist.

You can update your own badlist by using the proided `kanidm_badlist_preprocess` tool which helps to automate this process.

Given a list of passwords in a text file, it will generate a modification set which can be applied. The tool also provides the command you need to run to apply this.

    kanidm_badlist_preprocess -m -o /tmp/modlist.json <password file> [<password file> <password file> ...]
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00			`# Password Quality and Badlisting`

Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`Kanidm embeds a set of tools to help your users use and create strong passwords. This is important as not all user types will require MFA for their roles, but compromised accounts still pose a risk. There may also be deployment or other barriers to a site rolling out site wide MFA.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
			`## Quality Checking`

Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`Kanidm enforces that all passwords are checked by the library "[zxcvbn](https://github.com/dropbox/zxcvbn)". This has a large number of checks for password quality. It also provides constructive feedback to users on how to improve their passwords if it was rejected.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`Some things that zxcvbn looks for is use of the account name or email in the password, common passwords, low entropy passwords, dates, reverse words and more.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
			`This library can not be disabled - all passwords in Kanidm must pass this check.`

			`## Password Badlisting`

Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`This is the process of configuring a list of passwords to exclude from being able to be used. This is especially useful if a specific business has been notified of a compromised account, allowing you to maintain a list of customised excluded passwords.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`The other value to this feature is being able to badlist common passwords that zxcvbn does not detect, or from other large scale password compromises.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`By default we ship with a preconfigured badlist that is updated overtime as new password breach lists are made available.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
			`## Updating your own badlist.`

Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			You can update your own badlist by using the proided `kanidm_badlist_preprocess` tool which helps to automate this process.
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
Auto-publishing the book and rustdoc. (#534) 2021-07-24 03:12:35 +02:00			`Given a list of passwords in a text file, it will generate a modification set which can be applied. The tool also provides the command you need to run to apply this.`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
			`kanidm_badlist_preprocess -m -o /tmp/modlist.json <password file> [<password file> <password file> ...]`