/password-requirements-dataset

Dataset of what websites impose insecure password limits, or crash on strong passwords

Creative Commons Zero v1.0 UniversalCC0-1.0

Password requirements dataset

Node.js CI

This repository contains a database of password limits that different websites impose. The major focus is on limits that are arbitrary, indicate some underlying insecure design, or prevent the usage of strong passwords (e.g. because strong passwords crash the website).

Goals

This the overarching, ambitious goal of this project is to improve the state of internet password security by doing two things:

  1. Helping users pick the strongest passwords they are allowed to for websites
  2. Enabling public shaming of websites that don't get this right

Eventually it would be awesome if this data was used by password managers to generate even stronger passwords, without having to make conservative choices for broad compatibility. But the data included is designed to be flexible and detailed enough to enable all sorts of applications that haven't even been thought of yet.

Usage

Each entry in the dataset is represented in a JSON file in the data/ directory. Copyright is waived on this data (see "License" below), so you are welcome to do whatever you want with it. That being said, if you build tooling around this dataset - for example, to load it into a SQLite database so it can be efficiently queried, or a hall of shame page for websites with bad password practices - you are highly encouraged to submit either your tool itself or a link to your tool in a Pull Request.

More information on the format of each entry is forthcoming. In the meantime, you can use the (mostly-complete) JSON Schema in schema.json as a reference point.

meta.json

meta.json contains meta-information about the dataset. Currently it has only one key, schema-version, which will be increased every time the schema is updated in a backwards-incompatible way. It will not be changed if backwards-compatible additions are made.

Note that the addition of new enum values is not considered backwards-incompatible. Therefore, you should expect to handle the following:

  • Unknown properties
  • Unknown issue_name values
  • Unknown issue type values
  • Unknown issue source values (and therefore, unknown additional_sources values)

For most applications, it would probably be sensible to ignore anything you don't understand.

Author

AJ Jordan alex@strugee.net

License

CC0
To the extent possible under law, AJ Jordan has waived all copyright and related or neighboring rights to Password requirements dataset. This work is published from: United States.