Normalized bad words succeeding when they should fail

Question

Normalized bad words succeeding when they should fail

darkpixel opened this issue 7 months ago · 4 comments

It seems like normalized banned words is succeeding when it should be failing.

If I add 'doctor' and 'dental' to the list of banned words, the system totally accepts the words 'doctor' and 'dental', but will fail when 'd0ct0r' or 'd3nt@l' are used.

I've gone through the docs a few times, and it seems like this should cause the password change to fail.

Maybe I'm misunderstanding something?

Answer 1 · 2024-02-23T02:00:21.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

Answer 2 · 2024-02-23T20:02:37.000Z

Zark off stalebot. There's no activity because the developers haven't responded yet.

Answer 3 · 2024-02-25T20:29:06.000Z

Hi @darkpixel

There's some nuance to the way the banned word filter works.

It's designed to prevent the use of a password based on a simple word. Not to prevent the use of a word entirely in a password.

So we take the common brute-force techniques used by password cracking tools and apply those to the password as a whole.

So we don't want common, easy to predict patterns used for passwords. So in your doctor case, we avoid passwords derrived from the word doctor.
D0ctor1
Doctor123

but we don't prevent the use of the word doctor in a way that isn't recognized in a brute force pattern

My Favorite Doctor is Dr Jim
ihategoingtothedoctor

More information on the exact normalization process can be found here.
https://docs.lithnet.io/password-protection/advanced-help/normalization-rules

Answer 4 · 2024-02-26T16:12:38.000Z

Makes sense. Thanks @ryannewington!