What is NBP?

NIST Bad Passwords, or NBP, aims to help make the reuse of common passwords a thing of the past. With the release of Special Publication 800-63-3: Digital Authentication Guidelines, it is now recommended to blacklist common passwords from being used in account registrations.

NBP is intended for quick client-side validation of common passwords only. It is still advisable to check server side if the password is not common.

From Naked Security @ Sophos:

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

Demo

Your password is not common .

This demo uses SecList's 1,000,000 most common password list.

Usage

Using NBP is easy. Simply include the library in your registration page and place the collections folder in the same folder as the registration page. If you wish, you may specify a customs collections folder. Your folder structure should look like this:

The collections folder refers to the folder storing the compiled most common passwords. In default installations, is the folder containing mostcommon_*, i.e. mostcommon_100000

webroot/ ├── css/ ├── js/ | ├── nbp/ | ├── nbp.min.js ├── collections/ ├── mostcommon_100000 ├── ... ├── index.php ├── register.php

API Usage

Initalization

Function signature



NBP.init([collection_name = "mostcommon_10000"] [, collection_folder_path = "collections/"] [, cache = true]);

Example

NBP.init("mostcommon_100000", "register/nbpcollections/", true);

Check common password

Function signature



NBP.isCommonPassword(password);

Example

NBP.isCommonPassword('hunter2');

Password list sources

NBP comes with password lists sourced from SecLists by Daniel Miessler.

The inbuilt lists include:

mostcommon_100

mostcommon_500

mostcommon_1000

mostcommon_10000

mostcommon_100000

Building your own password lists is as easy:

Your list should be in the following format, i.e. separated by new lines:

password1 password2 .... hunter2

Your list_out name must follow this format: [listname]_[list_count], i.e. my_custom_list_600

# Assuming pwd is git root cd build_collection node index.js raw_list_in list_out mv list_out ../collections/.

Implementation details

NBP uses a bloom filter to store lists in a more compact format. The filter implementation can be found at cry/jsbloom.

LZString is used to compress raw bloom filter contents to UTF-16.

The bloom filter contents are cached in localStorage in order to avoid unnecessary downloads in order to improve user experience.