Experiment with NIST 800-63B password rules in Python

Every time I create a new account, I often get disturbed by this message. hate-tweet-about-password-rules.png So what kind of person is a good password? From now on, I will try the NIST password rules learned from Data Camp in Python. Since Japanese is not my mother tongue, I will use English when it is difficult to explain, so please forgive me.

The repository is at https://github.com/Bing-Violet/Bad-passwords-and-the-NIST-guidelines with the data sets available.


There're loads of criteria for a good password. It's hard to define what is a good password. However, the National Institute of Standards and Technology (NIST) gives you a guide not to make a bad password from the cyber-security perspective.

# Importing the pandas module
import pandas as pd

# Loading in datasets/users.csv 
users = pd.read_csv("datasets/users.csv")

# Printing out how many users we've got
print(users.count())

# Taking a look at the 12 first users
print(users.head(12))

Passwords should not be too short

# Calculating the lengths of users' passwords
users['length'] = users['password'].str.len()

# Flagging the users with too short passwords
users['too_short'] = users['length'] < 8

# Counting and printing the number of users with too short passwords
print(users['too_short'].count())

# Taking a look at the 12 first rows
print(users.head(12))

Passwords shouldn't be Common passwords

Common passwords and combinations should be avoided as they could be expected. General common passwords include but not restricted to:

# Reading in the top 10000 passwords
common_passwords = pd.read_csv('datasets/10_million_password_list_top_10000.txt', header=None, squeeze=True)

# Taking a look at the top 20
print(common_passwords.head(20))

We fetch the common password list, then find out all the passwords fall in this category.

# Flagging the users with passwords that are common passwords
users['common_password'] = users['password'].isin(common_passwords)

# Counting and printing the number of users using common passwords
print(users['common_password'].count())

# Taking a look at the 12 first rows
print(users['common_password'].head(12))

Passwords should not be common passwords

By the same token, passwords shouldn't be common words. This may not apply to local Japanese people, as the list we fetch here only contains popular English dictionary words.

# Reading in a list of the 10000 most common words
words = pd.read_csv('datasets/google-10000-english.txt', header=None, squeeze=True)

# Flagging the users with passwords that are common words
users['common_word'] = users['password'].str.lower().isin(words)

# Counting and printing the number of users using common words as passwords
print(users['common_word'].count())

# Taking a look at the 12 first rows
print(users['common_word'].head(12))

Passwords should not be your name We should also flag passwords that contain users' names as a bad password practice.

# Extracting first and last names into their own columns
users['first_name'] = users['user_name'].str.extract(r'(\w+)', expand = False)
users['last_name'] = users['user_name'].str.extract(r'(\w+$)', expand = False)

# Flagging the users with passwords that matches their names
users['uses_name'] = (users['password']==(users['first_name']))|(users['password']==(users['last_name']))

# Counting and printing the number of users using names as passwords
print(users['uses_name'].count())

# Taking a look at the 12 first rows
print(users['uses_name'].head(12))

Passwords should not be repetitive

### Flagging the users with passwords with >= 4 repeats
users['too_many_repeats'] = users['password'].str.contains(r'(.)\1\1\1')

# Taking a look at the users with too many repeats
print(users['too_many_repeats'])

All together now! Now let's combine the criteria listed above and filter out all the bad passwords.

# Flagging all passwords that are bad
users['bad_password'] = ( 
    users['too_short'] | 
    users['common_password'] |
    users['common_word'] | 
    users['user_name'] |
    users['too_many_repeats'])

# Counting and printing the number of bad passwords
print((users['bad_password']==True).count())

# Looking at the first 25 bad passwords
print(users['bad_password'].head(25))

This is how we can filter out the bad passwords in a data set. And similar approaches can be adopted for your current database if you already have some users and want to improve the security for their accounts. :champagne:

Recommended Posts

Experiment with NIST 800-63B password rules in Python
Password generation in texto with python
Scraping with selenium in Python
Scraping with chromedriver in python
Debugging with pdb in Python
Working with sounds in Python
Scraping with Selenium in Python
Scraping with Tor in Python
Tweet with image in Python
Combined with permutations in Python
Easy password box in Python
Password management with python: keyring
Basic authentication with an encrypted password (.htpasswd) in bottle with python
Number recognition in images with Python
Testing with random numbers in Python
GOTO in Python with Sublime Text 3
Working with LibreOffice in Python: import
Scraping with Selenium in Python (Basic)
CSS parsing with cssutils in Python
Numer0n with items made in Python
Open UTF-8 with BOM in Python
Widrow-Hoff learning rules implemented in Python
Use rospy with virtualenv in Python3
Use Python in pyenv with NeoVim
Heatmap with Dendrogram in Python + matplotlib
[Python] Generate a password with Slackbot
Read files in parallel with Python
Implemented Perceptron learning rules in Python
Use OpenCV with Python 3 in Window
Until dealing with python in Atom
Get started with Python in Blender
Working with DICOM images in Python
Spiral book in Python! Python with a spiral book! (Chapter 14 ~)
Solve ABC175 A, B, C in Python
Try logging in to qiita with Python
Stress Test with Locust written in Python
Python3> in keyword> True with partial match?
Device monitoring with On-box Python in IOS-XE
Try working with binary data in Python
Draw Nozomi Sasaki in Excel with python
Tips for dealing with binaries in Python
Display Python 3 in the browser with MAMP
Page cache in Python + Flask with Flask-Caching
Post Test 3 (Working with PosgreSQL in Python)
How to work with BigQuery in Python
Playing card class in Python (with comparison)
Simplify PDF password unlock with python + bat
Process multiple lists with for in Python
Connect with mysql.connector with ssh tunnel in Python 3.7
One liner webServer (with CGI) in python
Get Started with TopCoder in Python (2020 Edition)
Solve ABC165 A, B, D in Python
Call sudo in Python and autofill password
Easy image processing in Python with Pillow
To work with timestamp stations in Python
Call APIGateWay with APIKey in python requests
Residual analysis in Python (Supplement: Cochrane rules)
I created a password tool in Python.
Read text in images with python OCR
Introduced sip-4.14 in python3.2.2 environment with MacOS 10.7.4
[Python] Get the files in a folder with Python