| 1 | // SPDX-License-Identifier: AGPL-3.0-or-later |
| 2 | |
| 3 | // Package passwords exposes the embedded common-password blocklist used at |
| 4 | // signup and password-reset to reject the most-prevalent passwords. |
| 5 | // |
| 6 | // Source: SecLists 10k-most-common (descended from leaked-credential |
| 7 | // corpora; widely used by HIBP-aligned tooling). The cutoff at 10k is a |
| 8 | // pragmatic balance: blocks the high-prevalence head of the distribution |
| 9 | // without bloating the binary or pushing legitimate, hard-to-guess |
| 10 | // passwords into a false-positive tail. |
| 11 | // |
| 12 | // To refresh the list, replace internal/passwords/common_passwords.txt |
| 13 | // with a new SecLists snapshot and re-run the test suite. |
| 14 | package passwords |
| 15 | |
| 16 | import ( |
| 17 | _ "embed" |
| 18 | "strings" |
| 19 | "sync" |
| 20 | ) |
| 21 | |
| 22 | //go:embed common_passwords.txt |
| 23 | var rawList string |
| 24 | |
| 25 | var ( |
| 26 | once sync.Once |
| 27 | set map[string]struct{} |
| 28 | ) |
| 29 | |
| 30 | func loadOnce() { |
| 31 | once.Do(func() { |
| 32 | lines := strings.Split(rawList, "\n") |
| 33 | set = make(map[string]struct{}, len(lines)) |
| 34 | for _, l := range lines { |
| 35 | l = strings.TrimSpace(l) |
| 36 | if l == "" { |
| 37 | continue |
| 38 | } |
| 39 | set[strings.ToLower(l)] = struct{}{} |
| 40 | } |
| 41 | }) |
| 42 | } |
| 43 | |
| 44 | // IsCommon reports whether password matches a known common-password entry |
| 45 | // (case-insensitive). Used at signup and password-reset. |
| 46 | func IsCommon(password string) bool { |
| 47 | loadOnce() |
| 48 | _, ok := set[strings.ToLower(password)] |
| 49 | return ok |
| 50 | } |
| 51 | |
| 52 | // Size returns the number of entries in the embedded list. Test affordance. |
| 53 | func Size() int { |
| 54 | loadOnce() |
| 55 | return len(set) |
| 56 | } |
| 57 |