How to prevent users from registering into your app with insecure passwords

Valerio Barbera

Hi, I’m Valerio, software engineer and CTO at Inspector.

About one year ago one of our accounts on an external platform has been hacked. Our credit card was attached to this account so we had to warn the bank to block it. Fortunately, there were no consequences, neither for our bank account, nor for our customers in terms of data security.

It was a really important experience which helped us understand the needs to increase our security policy to prevent similar incidents from leading to worse consequences. I wrote about our roadmap to increase our security standards in this post: https://inspector.dev/how-to-turn-a-credentials-breach-into-a-development-opportunity/

Recently we added the weak passwords filter mentioned in the security roadmap and in this article I’ll show you how to implement the same mechanism in your application.

Yes, tons of people still use “123456” as a password, according to NordPass’s 200 most common passwords of the year for 2020, which is based on analysis of passwords exposed by data breaches.

Plenty of other epically insecure passwords continue to make the annual password hall of shame, including the aforementioned “password” (always in the top five) or “qwerty”.

Inspector provides two factor authentication as additional security layer, but prevent users from registering an account with one of these insecure passwords will greatly increase the level of security for all users.

Find a weak passwords list

Before starting with code we need to find a reliable list of most common passwords used by malicious attackers.

There are many source, you can find them in a dedicated wikipedia page: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Almost any password management software provides its own list based on their data. I made a combination of some of them to get the most complete list.

Here is my not permitted passwords array:

[
    'picture1',
    'password',
    'password1',
    '12345678',
    '111111',
    '123123',
    '12345',
    '1234567890',
    'senha',
    '1234567',
    'qwerty',
    'abc123',
    'Million2',
    'OOOOOO',
    '1234',
    'iloveyou',
    'aaron431',
    'qqww1122',
    '123',
    'omgpop',
    '123321',
    '654321',
    '123456789',
    'qwerty123',
    '1q2w3e4r',
    'admin',
    'qwertyuiop',
    '555555',
    'lovely',
    '7777777',
    'welcome',
    '888888',
    'princess',
    'dragon',
    '123qwe',
    'sunshine',
    '666666',
    'football',
    'monkey',
    '!@#$%^&*',
    'charlie',
    'aa123456',
    'donald',
]

Create a custom validation rule

We use Laravel as application framework but you are free to implement the same logic in any language or framework.

Laravel provides an easy create your own validation rules out the rules available by default. To generate a new rule object, you may use the make:rule Artisan command.

php artisan make:rule RejectWeakPasswords

Once the rule has been created, we are ready to define its behavior. A rule object contains two methods: passes and message.

The passes method receives the attribute value and name, and should return true or false depending on whether the value is valid or not. The message method should return the validation error message that should be used when validation fails:

<?php

namespace App\Rules;

use Illuminate\Contracts\Validation\Rule;

class RejectUnsecurePassword implements Rule
{
    /**
     * Determine if the validation rule passes.
     *
     * @param  string  $attribute
     * @param  mixed  $value
     * @return bool
     */
    public function passes($attribute, $value)
    {
        return !in_array($value, [
            'picture1',
            'password',
            'password1',
            '12345678',
            '111111',
            '123123',
            '12345',
            '1234567890',
            'senha',
            '1234567',
            'qwerty',
            'abc123',
            'Million2',
            'OOOOOO',
            '1234',
            'iloveyou',
            'aaron431',
            'qqww1122',
            '123',
            'omgpop',
            '123321',
            '654321',
            '123456789',
            'qwerty123',
            '1q2w3e4r',
            'admin',
            'qwertyuiop',
            '555555',
            'lovely',
            '7777777',
            'welcome',
            '888888',
            'princess',
            'dragon',
            '123qwe',
            'sunshine',
            '666666',
            'football',
            'monkey',
            '!@#$%^&*',
            'charlie',
            'aa123456',
            'donald',
        ]);
    }

    /**
     * Get the validation error message.
     *
     * @return string
     */
    public function message()
    {
        return 'The chosen password is not strong enough. Try again with a more secure string.';
    }
}

This rule was added to verify the registration information and also in the change password process.

Conclusion

People can’t be expected to create and remember dozens of unique, complex passwords. Instead, there are tools you can use. There are multiple password manager services that generate strong passwords for you and store them securely.

I personally use the password generator built into google chrome. When compile a new signup form use the right click on the password field. You’ll find the “Suggest a strong passowd” menu that will automatically generate a secure password for you and store it securely in your google account to automatically fill the log-in form the next time you access the same web site.

New to Inspector?

Are you looking for a “code-driven” monitoring tool instead of having to install things at the server level?

Get a monitoring environment specifically designed for software developers avoiding any server or infrastructure configuration.

Thanks to Inspector, you will never have the need to install things at the server level or make complex configuration in your cloud infrastructure to monitor your application in real-time.

Inspector works with a lightweight software library that you can install in your application like any other dependencies. In case of Laravel you have our official Laravel package at your disposal. Developers are not always comfortable installing and configuring software at the server level, because these installations are often managed by external teams, and they are out of the software development lifecycle.

Visit our website for more details: https://inspector.dev/laravel/

Related Posts

Is it better to BUILD an internal monitoring environment, or BUY a prepackaged solution?

“Build vs Buy” Bake-off: Which should you choose? Every case is different, and all of these factors should be considered carefully before making a decision. There are situations where building a solution makes sense, either because you have the time, your requirements aren’t very complex, or if your applications simply don’t have enough load to

How to extend Laravel with driver-based services

Hi, I’m Valerio, software engineer and CTO at Inspector. In this article I talk about a Laravel internal feature not mentioned in the official documentation called “Driver Manager”. It can completely change the way you design and develop your application solving critical architectural bottlenecks, allowing you to build large systems built around decoupled, independent and

Code Execution Monitoring for Symfony applications using Inspector

Hi, I’m Valerio software engineer from Italy and CTO at Inspector. As product owner I learned on my skin how an application issue can be so hard to identify and fix, creating negative impacts on the users experience, or block new potential customers in their on-boarding path. Users don’t spend their time reporting bugs, they