How to prevent users from registering into your app with insecure passwords

Valerio Barbera

Hi, I’m Valerio, software engineer and CTO at Inspector.

About one year ago one of our accounts on an external platform has been hacked. Our credit card was attached to this account so we had to warn the bank to block it. Fortunately, there were no consequences, neither for our bank account, nor for our customers in terms of data security.

It was a really important experience which helped us understand the needs to increase our security policy to prevent similar incidents from leading to worse consequences. I wrote about our roadmap to increase our security standards in this post: https://inspector.dev/how-to-turn-a-credentials-breach-into-a-development-opportunity/

Recently we added the weak passwords filter mentioned in the security roadmap and in this article I’ll show you how to implement the same mechanism in your application.

How many people still use “password” as a password. Also in tech companies because sometimes the account is shared by many people that they choos an obvious word.

Inspector provides two factor authentication as additional security layer, but prevent users from registering an account with one of these insecure passwords will greatly increase the level of security for all users.

Find a weak passwords list

Before starting with code we need to find a reliable list of most common passwords used by malicious attackers.

There are many source, you can find them in a dedicated wikipedia page: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Almost any password management software provides its own list based on their data. I made a combination of some of them to get the most complete list.

Here is my not permitted passwords array:

[
    'picture1',
    'password',
    'password1',
    '12345678',
    '111111',
    '123123',
    '12345',
    '1234567890',
    'senha',
    '1234567',
    'qwerty',
    'abc123',
    'Million2',
    'OOOOOO',
    '1234',
    'iloveyou',
    'aaron431',
    'qqww1122',
    '123',
    'omgpop',
    '123321',
    '654321',
    '123456789',
    'qwerty123',
    '1q2w3e4r',
    'admin',
    'qwertyuiop',
    '555555',
    'lovely',
    '7777777',
    'welcome',
    '888888',
    'princess',
    'dragon',
    '123qwe',
    'sunshine',
    '666666',
    'football',
    'monkey',
    '!@#$%^&*',
    'charlie',
    'aa123456',
    'donald',
]

Create a custom validation rule

We use Laravel as application framework but you are free to implement the same logic in any language or framework.

Laravel provides an easy create your own validation rules out the rules available by default. To generate a new rule object, you may use the make:rule Artisan command.

php artisan make:rule RejectWeakPasswords

Once the rule has been created, we are ready to define its behavior. A rule object contains two methods: passes and message.

The passes method receives the attribute value and name, and should return true or false depending on whether the value is valid or not. The message method should return the validation error message that should be used when validation fails:

<?php
namespace App\Rules;
use Illuminate\Contracts\Validation\Rule;
class RejectUnsecurePassword implements Rule
{
    /**
     * Determine if the validation rule passes.
     *
     * @param  string  $attribute
     * @param  mixed  $value
     * @return bool
     */
    public function passes($attribute, $value)
    {
        return !in_array($value, [
            'picture1',
            'password',
            'password1',
            '12345678',
            '111111',
            '123123',
            '12345',
            '1234567890',
            'senha',
            '1234567',
            'qwerty',
            'abc123',
            'Million2',
            'OOOOOO',
            '1234',
            'iloveyou',
            'aaron431',
            'qqww1122',
            '123',
            'omgpop',
            '123321',
            '654321',
            '123456789',
            'qwerty123',
            '1q2w3e4r',
            'admin',
            'qwertyuiop',
            '555555',
            'lovely',
            '7777777',
            'welcome',
            '888888',
            'princess',
            'dragon',
            '123qwe',
            'sunshine',
            '666666',
            'football',
            'monkey',
            '!@#$%^&*',
            'charlie',
            'aa123456',
            'donald',
        ]);
    }
    /**
     * Get the validation error message.
     *
     * @return string
     */
    public function message()
    {
        return 'The chosen password is not strong enough. Try again with a more secure string.';
    }
}

This rule was added to verify the registration information and also in the change password process.

Conclusion

People can’t be expected to create and remember dozens of unique, complex passwords. Instead, there are tools you can use. There are multiple password manager services that generate strong passwords for you and store them securely.

I personally use the password generator built into google chrome. When compile a new signup form use the right click on the password field. You’ll find the “Suggest a strong passowd” menu that will automatically generate a secure password for you and store it securely in your google account to automatically fill the log-in form the next time you access the same web site.

New to Inspector?

If you found this post interesting and want to supercharge your development team, you can try Inspector.

Inspector is a Code Execution Monitoring tool that helps you to identify bugs and bottlenecks in your applications automatically. Before your customers do.

screenshot inspector code monitoring timeline

It is completely code-driven. You won’t have to install anything at the server level or make complex configurations in your cloud infrastructure.

It works with a lightweight software library that you can install in your application like any other dependencies. Check out the supported technologies in the GitHub organization.

Create an account, or visit our website for more information: https://inspector.dev

Related Posts

Laravel Http Client Overview and Monitoring

Laravel HTTP client was introduced starting from version 10 of the framework, and then also made available in all previous versions. It stands out as a powerful tool for making HTTP requests and handling responses from external services. This article will delve into the technical foundations of the Laravel HTTP client, its motivations, and how

Laravel Form Request and Data Validation Tutorial

In this article I will talk about Laravel Form Request to send data from your application frontend to the backend. In web applications, data is usually sent via HTML forms: the data entered by the user into the browser is sent to the server and stored in the database eventually. Laravel makes it extremely simple

Upload File in Laravel

You can upload file in Laravel using its beautiful unified API to interact with many different types of storage systems, from local disk to remote object storage like S3. As many other Laravel components you can interact with the application filesystem through the Storage Facade: Illuminate/Support/Facades/Storage This class allows you to access storage drivers called