gosora/docs/weak_passwords.md

# Weak Passwords

For configuring the list of weak passwords and weak password detection rules, we have `config/weakpass.json` which overwrites the default values defined in `config/weakpass_default.json`

There are two sections: `contains` and `literal`. `contains` scans the password to see if a specified piece of text is in it and `literal` checks if the password matches the specified rule exactly (with some exceptions).

All passwords are converted to lowercase form before either scanner is ran on them to detect common tricks like capitalizing the first letter.

`contains` is slower and may not scale with a large number of rules, but it is more effective at finding certain patterns which a password cracker could exploit to crack someone's password.

`literal` is very inflexible and only matches rules literally. One exception is that it will remove numbers from the end of the password running the rule.
docs for weakpass.json grammar add a weakpass literal 2020-06-19 03:03:10 +00:00			`# Weak Passwords`

			For configuring the list of weak passwords and weak password detection rules, we have `config/weakpass.json` which overwrites the default values defined in `config/weakpass_default.json`

			There are two sections: `contains` and `literal`. `contains` scans the password to see if a specified piece of text is in it and `literal` checks if the password matches the specified rule exactly (with some exceptions).

clarify how the weak password scanner works 2020-06-19 03:18:44 +00:00			`All passwords are converted to lowercase form before either scanner is ran on them to detect common tricks like capitalizing the first letter.`

docs for weakpass.json grammar add a weakpass literal 2020-06-19 03:03:10 +00:00			`contains` is slower and may not scale with a large number of rules, but it is more effective at finding certain patterns which a password cracker could exploit to crack someone's password.

clarify how the weak password scanner works 2020-06-19 03:18:44 +00:00			`literal` is very inflexible and only matches rules literally. One exception is that it will remove numbers from the end of the password running the rule.