How to prevent users from registering into your app with insecure passwords

Valerio Barbera

Hi, I’m Valerio, software engineer and CTO at Inspector.

About one year ago one of our accounts on an external platform has been hacked. Our credit card was attached to this account so we had to warn the bank to block it. Fortunately, there were no consequences, neither for our bank account, nor for our customers in terms of data security.

It was a really important experience which helped us understand the needs to increase our security policy to prevent similar incidents from leading to worse consequences. I wrote about our roadmap to increase our security standards in this post: https://inspector.dev/how-to-turn-a-credentials-breach-into-a-development-opportunity/

Recently we added the weak passwords filter mentioned in the security roadmap and in this article I’ll show you how to implement the same mechanism in your application.

Yes, tons of people still use “123456” as a password, according to NordPass’s 200 most common passwords of the year for 2020, which is based on analysis of passwords exposed by data breaches.

Plenty of other epically insecure passwords continue to make the annual password hall of shame, including the aforementioned “password” (always in the top five) or “qwerty”.

Inspector provides two factor authentication as additional security layer, but prevent users from registering an account with one of these insecure passwords will greatly increase the level of security for all users.

Find a weak passwords list

Before starting with code we need to find a reliable list of most common passwords used by malicious attackers.

There are many source, you can find them in a dedicated wikipedia page: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Almost any password management software provides its own list based on their data. I made a combination of some of them to get the most complete list.

Here is my not permitted passwords array:

[
    'picture1',
    'password',
    'password1',
    '12345678',
    '111111',
    '123123',
    '12345',
    '1234567890',
    'senha',
    '1234567',
    'qwerty',
    'abc123',
    'Million2',
    'OOOOOO',
    '1234',
    'iloveyou',
    'aaron431',
    'qqww1122',
    '123',
    'omgpop',
    '123321',
    '654321',
    '123456789',
    'qwerty123',
    '1q2w3e4r',
    'admin',
    'qwertyuiop',
    '555555',
    'lovely',
    '7777777',
    'welcome',
    '888888',
    'princess',
    'dragon',
    '123qwe',
    'sunshine',
    '666666',
    'football',
    'monkey',
    '[email protected]#$%^&*',
    'charlie',
    'aa123456',
    'donald',
]

Create a custom validation rule

We use Laravel as application framework but you are free to implement the same logic in any language or framework.

Laravel provides an easy create your own validation rules out the rules available by default. To generate a new rule object, you may use the make:rule Artisan command.

php artisan make:rule RejectWeakPasswords

Once the rule has been created, we are ready to define its behavior. A rule object contains two methods: passes and message.

The passes method receives the attribute value and name, and should return true or false depending on whether the value is valid or not. The message method should return the validation error message that should be used when validation fails:

<?php
namespace App\Rules;
use Illuminate\Contracts\Validation\Rule;
class RejectUnsecurePassword implements Rule
{
    /**
     * Determine if the validation rule passes.
     *
     * @param  string  $attribute
     * @param  mixed  $value
     * @return bool
     */
    public function passes($attribute, $value)
    {
        return !in_array($value, [
            'picture1',
            'password',
            'password1',
            '12345678',
            '111111',
            '123123',
            '12345',
            '1234567890',
            'senha',
            '1234567',
            'qwerty',
            'abc123',
            'Million2',
            'OOOOOO',
            '1234',
            'iloveyou',
            'aaron431',
            'qqww1122',
            '123',
            'omgpop',
            '123321',
            '654321',
            '123456789',
            'qwerty123',
            '1q2w3e4r',
            'admin',
            'qwertyuiop',
            '555555',
            'lovely',
            '7777777',
            'welcome',
            '888888',
            'princess',
            'dragon',
            '123qwe',
            'sunshine',
            '666666',
            'football',
            'monkey',
            '[email protected]#$%^&*',
            'charlie',
            'aa123456',
            'donald',
        ]);
    }
    /**
     * Get the validation error message.
     *
     * @return string
     */
    public function message()
    {
        return 'The chosen password is not strong enough. Try again with a more secure string.';
    }
}

This rule was added to verify the registration information and also in the change password process.

Conclusion

People can’t be expected to create and remember dozens of unique, complex passwords. Instead, there are tools you can use. There are multiple password manager services that generate strong passwords for you and store them securely.

I personally use the password generator built into google chrome. When compile a new signup form use the right click on the password field. You’ll find the “Suggest a strong passowd” menu that will automatically generate a secure password for you and store it securely in your google account to automatically fill the log-in form the next time you access the same web site.

New to Inspector?

If you found this post interesting and want to supercharge your development team, you can try Inspector.

Inspector is a Code Execution Monitoring tool that helps you to identify bugs and bottlenecks in your applications automatically. Before your customers do.

screenshot inspector code monitoring timeline

It is completely code-driven. You won’t have to install anything at the server level or make complex configurations in your cloud infrastructure.

It works with a lightweight software library that you can install in your application like any other dependencies. Check out the supported technologies in the GitHub organization.

Create an account, or visit our website for more information: https://inspector.dev

Related Posts

How to make Vite Hot Module Replacement work on Windows

As many of our community members already know, we recently started the renovation of the Inspector dashboard UI with a fresh new design and a modern technology stack. In this article I will explain why we decided to leave Webpack and embrace Vite as assets build tool and Hot Module Replacement. I will show you

Http traffic monitoring for Slim framework

This article follows the release of the first version of the monitoring library for Slim framework. Thanks to this package you can fully monitor the HTTP traffic against your application based on Slim. It takes less than one minute to get started. First let me give you a bit of context. Introducing the Slim framework

How to use wildcards in ExpressJs and Fastify monitoring libraries

With the booming software economy, the demand for new applications and software-defined automations is set to grow in the future years. Companies in any industry are creating software in the form of internal business tools, productivity tools, integrations, automations, and more. As a result, there is a need for tools that make it easy to

How to build scalable applications

Get the e-book about the Inspector scalability journey.