2013-12-20 16:34:34 -05:00
|
|
|
# CommonPasswords will check a given password against a list of the most commonly used passwords.
|
2016-03-03 07:06:50 -05:00
|
|
|
# The list comes from https://github.com/danielmiessler/SecLists/tree/master/Passwords
|
|
|
|
# specifically the list of 10 million passwords, top 100k, filtered by length
|
|
|
|
#
|
2013-12-20 16:34:34 -05:00
|
|
|
# The list is stored in Redis at a key that is shared by all sites in a multisite config.
|
|
|
|
#
|
|
|
|
# If the password file is changed, you need to add a migration that deletes the list from redis
|
|
|
|
# so it gets re-populated:
|
|
|
|
#
|
|
|
|
# $redis.without_namespace.del CommonPasswords::LIST_KEY
|
|
|
|
|
|
|
|
class CommonPasswords
|
|
|
|
|
2016-03-03 07:06:50 -05:00
|
|
|
PASSWORD_FILE = File.join(Rails.root, 'lib', 'common_passwords', '10-char-common-passwords.txt')
|
2013-12-20 16:34:34 -05:00
|
|
|
LIST_KEY = 'discourse-common-passwords'
|
|
|
|
|
|
|
|
@mutex = Mutex.new
|
|
|
|
|
|
|
|
def self.common_password?(password)
|
|
|
|
return false unless password.present?
|
|
|
|
password_list.include?(password)
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
class RedisPasswordList
|
|
|
|
def include?(password)
|
|
|
|
CommonPasswords.redis.sismember CommonPasswords::LIST_KEY, password
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.password_list
|
|
|
|
@mutex.synchronize do
|
2013-12-30 14:25:50 -05:00
|
|
|
load_passwords unless redis.scard(LIST_KEY) > 0
|
2013-12-20 16:34:34 -05:00
|
|
|
end
|
|
|
|
RedisPasswordList.new
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.redis
|
|
|
|
$redis.without_namespace
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.load_passwords
|
|
|
|
passwords = File.readlines(PASSWORD_FILE)
|
2014-05-02 12:01:21 -04:00
|
|
|
passwords.map!(&:chomp).each do |pwd|
|
2014-01-14 20:38:59 -05:00
|
|
|
# slower, but a tad more compatible
|
|
|
|
redis.sadd LIST_KEY, pwd
|
|
|
|
end
|
2013-12-20 16:34:34 -05:00
|
|
|
rescue Errno::ENOENT
|
|
|
|
# tolerate this so we don't block signups
|
|
|
|
Rails.logger.error "Common passwords file #{PASSWORD_FILE} is not found! Common password checking is skipped."
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|