How to prevent users from registering into your app with insecure passwords

Valerio Barbera

Hi, I’m Valerio, software engineer and CTO at Inspector.

About one year ago one of our accounts on an external platform has been hacked. Our credit card was attached to this account so we had to warn the bank to block it. Fortunately, there were no consequences, neither for our bank account, nor for our customers in terms of data security.

It was a really important experience which helped us understand the needs to increase our security policy to prevent similar incidents from leading to worse consequences. I wrote about our roadmap to increase our security standards in this post: https://inspector.dev/how-to-turn-a-credentials-breach-into-a-development-opportunity/

Recently we added the weak passwords filter mentioned in the security roadmap and in this article I’ll show you how to implement the same mechanism in your application.

Yes, tons of people still use “123456” as a password, according to NordPass’s 200 most common passwords of the year for 2020, which is based on analysis of passwords exposed by data breaches.

Plenty of other epically insecure passwords continue to make the annual password hall of shame, including the aforementioned “password” (always in the top five) or “qwerty”.

Inspector provides two factor authentication as additional security layer, but prevent users from registering an account with one of these insecure passwords will greatly increase the level of security for all users.

Find a weak passwords list

Before starting with code we need to find a reliable list of most common passwords used by malicious attackers.

There are many source, you can find them in a dedicated wikipedia page: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Almost any password management software provides its own list based on their data. I made a combination of some of them to get the most complete list.

Here is my not permitted passwords array:

[
    'picture1',
    'password',
    'password1',
    '12345678',
    '111111',
    '123123',
    '12345',
    '1234567890',
    'senha',
    '1234567',
    'qwerty',
    'abc123',
    'Million2',
    'OOOOOO',
    '1234',
    'iloveyou',
    'aaron431',
    'qqww1122',
    '123',
    'omgpop',
    '123321',
    '654321',
    '123456789',
    'qwerty123',
    '1q2w3e4r',
    'admin',
    'qwertyuiop',
    '555555',
    'lovely',
    '7777777',
    'welcome',
    '888888',
    'princess',
    'dragon',
    '123qwe',
    'sunshine',
    '666666',
    'football',
    'monkey',
    '!@#$%^&*',
    'charlie',
    'aa123456',
    'donald',
]

Create a custom validation rule

We use Laravel as application framework but you are free to implement the same logic in any language or framework.

Laravel provides an easy create your own validation rules out the rules available by default. To generate a new rule object, you may use the make:rule Artisan command.

php artisan make:rule RejectWeakPasswords

Once the rule has been created, we are ready to define its behavior. A rule object contains two methods: passes and message.

The passes method receives the attribute value and name, and should return true or false depending on whether the value is valid or not. The message method should return the validation error message that should be used when validation fails:

<?php

namespace App\Rules;

use Illuminate\Contracts\Validation\Rule;

class RejectUnsecurePassword implements Rule
{
    /**
     * Determine if the validation rule passes.
     *
     * @param  string  $attribute
     * @param  mixed  $value
     * @return bool
     */
    public function passes($attribute, $value)
    {
        return !in_array($value, [
            'picture1',
            'password',
            'password1',
            '12345678',
            '111111',
            '123123',
            '12345',
            '1234567890',
            'senha',
            '1234567',
            'qwerty',
            'abc123',
            'Million2',
            'OOOOOO',
            '1234',
            'iloveyou',
            'aaron431',
            'qqww1122',
            '123',
            'omgpop',
            '123321',
            '654321',
            '123456789',
            'qwerty123',
            '1q2w3e4r',
            'admin',
            'qwertyuiop',
            '555555',
            'lovely',
            '7777777',
            'welcome',
            '888888',
            'princess',
            'dragon',
            '123qwe',
            'sunshine',
            '666666',
            'football',
            'monkey',
            '!@#$%^&*',
            'charlie',
            'aa123456',
            'donald',
        ]);
    }

    /**
     * Get the validation error message.
     *
     * @return string
     */
    public function message()
    {
        return 'The chosen password is not strong enough. Try again with a more secure string.';
    }
}

This rule was added to verify the registration information and also in the change password process.

Conclusion

People can’t be expected to create and remember dozens of unique, complex passwords. Instead, there are tools you can use. There are multiple password manager services that generate strong passwords for you and store them securely.

I personally use the password generator built into google chrome. When compile a new signup form use the right click on the password field. You’ll find the “Suggest a strong passowd” menu that will automatically generate a secure password for you and store it securely in your google account to automatically fill the log-in form the next time you access the same web site.

New to Inspector?

If you found this post interesting and want to supercharge your development team, you can try Inspector.

Inspector is a Code Execution Monitoring tool that helps you to identify bugs and bottlenecks in your applications automatically. Before your customers do.

screenshot inspector code monitoring timeline

It is completely code-driven. You won’t have to install anything at the server level or make complex configurations in your cloud infrastructure.

It works with a lightweight software library that you can install in your application like any other dependencies. Check out the supported technologies in the GitHub organization.

Create an account, or visit our website for more information: https://inspector.dev

Related Posts

cloud costs savings with code execution monitoring

How to save thousands of dollars in cloud costs with Code Execution Monitoring

Hi, I’m Valerio, software engineer, co-founder and CTO at Inspector. In this article I want to show you a monitoring strategy to help you save thousands of dollars a year on cloud costs. The typical scenario where you can get the most payback from this strategy is when your application runs on multiple servers. If

The 5 Best Application Monitoring Tools for 2022

When it comes to application monitoring software, there are some great tools available to make our lives easier. We’ve compiled a list of the very best. No offense intended but the truth is customers are no longer interested in what you have to do to make your product work when they need it. They only

What Are Source Maps and How to Properly Use Them

You are debugging a web app for a client but the minified version of the Javascript and CSS code makes it impossible to understand what statements the browser is actually executing. You could break down the original code line by line in your editor putting some “console.log()” statements here and there, or try debugging it

Join the "Scalable Applications" community

Learn from other developers' experience.
Join the international community of developers to build scalable applications.

Inspector customer feedback
2020 © Inspector S.R.L. - VAT: 09552901218 - Progetto agevolato con la misura Resto al SUD RSUD0000000 - CUP C61B21012300008

How to build scalable applications

Get the e-book about the Inspector scalability journey.