Password breach lookup and other password validation rules

by Maarten van Vliet, Dan Schultzer on 14 September 2019

By default Pow has a lax requirement of minimum 10 characters based on NIST 800-132, but there are many more types of validations you can use to ensure users don’t rely on weak passwords.

An important aspect to password requirements is that it should be user friendly. Requirements to mix alphanumeric with symbols and upper- and lowercase characters haven’t proven effective. In the following we’ll go through some effective methods to ensure users uses strong passwords.

They are based on the NIST SP800-63b recommendations:

Passwords obtained from previous breaches

We’ll use haveibeenpwned.com to check for breached passwords.

For the sake of brevity, we’ll use ExPwned in the following example, but you can use any client or your own custom module to communicate with the API.

First, we’ll add ExPwned to the mix.exs file:

def deps do
  [
    ...
    {:ex_pwned, "~> 0.1.0"}
  ]
end

Run mix deps.get to install it.

Now let’s add the password validation rule to our user schema module:

defmodule MyApp.Users.User do
  use Ecto.Schema
  use Pow.Ecto.Schema

  # ...

  def changeset(user_or_changeset, attrs) do
    user_or_changeset
    |> pow_changeset(attrs)
    |> validate_password_breach()
  end

  defp validate_password_breach(changeset) do
    Ecto.Changeset.validate_change(changeset, :password, fn :password, password ->
      case password_breached?(password) do
        true  -> [password: "has appeared in a previous breach"]
        false -> []
      end
    end)
  end

  defp password_breached?(password) do
    case Mix.env() do
      :test -> false
      _any  -> ExPwned.password_breached?(password)
    end
  end
end

We’ll only do a lookup if the password has been changed, and we don’t do any lookups in test environment.

Context-specific words, such as the name of the service, the username, and derivatives thereof

We want to prevent context specific words to be used as passwords.

The context might be public user details. If the users email is john.doe@example.com then the password can’t be john.doe@example.com or johndoeexamplecom. The same rule applies for any user id we may use, such as username. If the username is john.doe then john.doe00 or johndoe001 can’t be used.

Our app may also be part of a website/service/platform and have an identity. As an example, if the service is called My Demo App then we don’t want to permit passwords like my demo app, my_demo_app or mydemoapp.

We’ll add the password validation rule to our user schema module:

defmodule MyApp.Users.User do
  use Ecto.Schema
  use Pow.Ecto.Schema

  # ...

  def changeset(user_or_changeset, attrs) do
    user_or_changeset
    |> pow_changeset(attrs)
    |> validate_password_no_context()
  end

  @app_name "My Demo App"

  defp validate_password_no_context(changeset) do
    Ecto.Changeset.validate_change(changeset, :password, fn :password, password ->
      [
        @app_name,
        String.downcase(@app_name),
        Ecto.Changeset.get_field(changeset, :email),
        Ecto.Changeset.get_field(changeset, :username)
      ]
      |> Enum.reject(&is_nil/1)
      |> similar_to_context?(password)
      |> case do
        true  -> [password: "is too similar to username, email or #{@app_name}"]
        false -> []
      end
    end)
  end

  def similar_to_context?(contexts, password) do
    Enum.any?(contexts, &String.jaro_distance(&1, password) > 0.85)
  end
end

We’re using the String.jaro_distance/2 to make sure that the password has a Jaro–Winkler similarity to the context of at most 0.85.

Repetitive or sequential characters

We want to prevent repetitive or sequential characters in passwords such as aaa, 1234 or abcd.

The rule we’ll use is that there may be no more than two repeating or three sequential characters in the password. We’ll add the validation rule to our user schema module:

defmodule MyApp.Users.User do
  use Ecto.Schema
  use Pow.Ecto.Schema

  # ...

  def changeset(user_or_changeset, attrs) do
    user_or_changeset
    |> pow_changeset(attrs)
    |> validate_password()
  end

  defp validate_password(changeset) do
    changeset
    |> validate_no_repetitive_characters()
    |> validate_no_sequential_characters()
  end

  defp validate_no_repetitive_characters(changeset) do
    Ecto.Changeset.validate_change(changeset, :password, fn :password, password ->
      case repetitive_characters?(password) do
        true  -> [password: "has repetitive characters"]
        false -> []
      end
    end)
  end

  defp repetitive_characters?(password) when is_binary(password) do
    password
    |> String.to_charlist()
    |> repetitive_characters?()
  end
  defp repetitive_characters?([c, c, c | _rest]), do: true
  defp repetitive_characters?([_c | rest]), do: repetitive_characters?(rest)
  defp repetitive_characters?([]), do: false

  defp validate_no_sequential_characters(changeset) do
    Ecto.Changeset.validate_change(changeset, :password, fn :password, password ->
      case sequential_characters?(password) do
        true  -> [password: "has sequential characters"]
        false -> []
      end
    end)
  end

  @sequences ["01234567890", "abcdefghijklmnopqrstuvwxyz"]
  @max_sequential_chars 3

  defp sequential_characters?(password) do
    Enum.any?(@sequences, &sequential_characters?(password, &1))
  end

  defp sequential_characters?(password, sequence) do
    max = String.length(sequence) - 1 - @max_sequential_chars

    Enum.any?(0..max, fn x ->
      pattern = String.slice(sequence, x, @max_sequential_chars + 1)

      String.contains?(password, pattern)
    end)
  end
end

As you can see, you’ll be able to modify @sequences and add what is appropriate for your app. It may be that you want to support another alphabet or keyboard layout sequences like qwerty.

Dictionary words

A dictionary lookup is very easy to create. This is just a very simple example that you can add to your user schema module:

defmodule MyApp.Users.User do
  use Ecto.Schema
  use Pow.Ecto.Schema

  # ...

  def changeset(user_or_changeset, attrs) do
    user_or_changeset
    |> pow_changeset(attrs)
    |> validate_password_dictionary()
  end

  defp validate_password_dictionary(changeset) do
    Ecto.Changeset.validate_change(changeset, :password, fn :password, password ->
      password
      |> String.downcase()
      |> password_in_dictionary?()
      |> case do
        true  -> [password: "is too common"]
        false -> []
      end
    end)
  end

  :my_app
  |> :code.priv_dir()
  |> Path.join("dictionary.txt")
  |> File.stream!()
  |> Stream.map(&String.trim/1)
  |> Stream.each(fn password ->
    defp password_in_dictionary?(unquote(password)), do: true
  end)
  |> Stream.run()

  defp password_in_dictionary?(_password), do: false
end

In the above priv/dictionary.txt will be processed on compile time. The plain text file contains words separated by newline.

Require users to change weak password upon sign in

You may want to ensure that users update their password if they have been breached or are too weak. You can do this be requiring users to reset their password upon sign in.

This can be dealt with in a plug, or custom controller. A plug method could look like this:

def check_password(conn, _opts) do
  changeset = MyApp.Users.User.changeset(%MyApp.Users.User{}, conn.params["user"])

  case changeset.errors[:password] do
    nil ->
      conn

    error ->
      msg = MyAppWeb.ErrorHelpers.translate_error(error)

      conn
      |> put_flash(:error, "You have to reset your password because it #{msg}")
      |> redirect(to: Routes.pow_reset_password_reset_password_path(conn, :new))
      |> Plug.Conn.halt()
  end
end

The user will be redirected to the reset password page, and the connection halted so authentication won’t happen. A caveat to this is that the user may not have entered valid credentials, since this runs before any authentication.

Conclusion

As you can see it is easy to customize and extend the password validation rules of Pow.

The landscape of web security is constantly changing, so it’s important that password requirements are neither so restricting that it affects user experience or too lax that it affects security. The above will work for most cases in the current landscape, but you should also consider supporting 2FA authentication, or alternative authentication schemes such as WebAuthn or OAuth.

It depends on your requirements and risk tolerance. It’s recommended to take your time to assess what is appropriate for your app.

Unit tests

Here is a unit test module that contains tests for two of of the above rulesets:

defmodule MyApp.Users.UserTest do
  use MyApp.DataCase

  alias MyApp.Users.User

  test "changeset/2 validates context-specific words" do
    for invalid <- ["my demo app", "mydemo_app", "mydemoapp1"] do
      changeset = User.changeset(%User{}, %{"username" => "john.doe", "password" => invalid})
      assert changeset.errors[:password] == {"is too similar to username, email or My Demo App", []}
    end

    # The below is for email user id
    changeset = User.changeset(%User{}, %{"email" => "john.doe@example.com", "password" => "password12"})
    refute changeset.errors[:password]

    for invalid <- ["john.doe@example.com", "johndoeexamplecom"] do
      changeset = User.changeset(%User{}, %{"email" => "john.doe@example.com", "password" => invalid})
      assert changeset.errors[:password] == {"is too similar to username, email or My Demo App", []}
    end

    # The below is for username user id
    changeset = User.changeset(%User{}, %{"username" => "john.doe", "password" => "password12"})
    refute changeset.errors[:password]

    for invalid <- ["john.doe00", "johndoe", "johndoe1"] do
      changeset = User.changeset(%User{}, %{"username" => "john.doe", "password" => invalid})
      assert changeset.errors[:password] == {"is too similar to username, email or My Demo App", []}
    end
  end

  test "changeset/2 validates repetitive and sequential password" do
    changeset = User.changeset(%User{}, %{"password" => "secret1222"})
    assert changeset.errors[:password] == {"has repetitive characters", []}

    changeset = User.changeset(%User{}, %{"password" => "secret1223"})
    refute changeset.errors[:password]

    changeset = User.changeset(%User{}, %{"password" => "secret1234"})
    assert changeset.errors[:password] == {"has sequential characters", []}

    changeset = User.changeset(%User{}, %{"password" => "secret1235"})
    refute changeset.errors[:password]

    changeset = User.changeset(%User{}, %{"password" => "secretefgh"})
    assert changeset.errors[:password] == {"has sequential characters", []}

    changeset = User.changeset(%User{}, %{"password" => "secretafgh"})
    refute changeset.errors[:password]
  end
end