NIST 800-63B 비밀번호 규칙을 Python으로 실험하기

매번 새 계정을 만들 때 자주 이런 메시지에 방해받습니다.

그럼, 좋은 패스워드는 도대체 어떤 녀석인가? 지금부터, Data Camp에서 공부한 NIST 패스워드 규칙을 Python으로 해 본다. 일본어가 모국어가 아니기 때문에, 설명이 힘들 때는 영어로 하므로, 용서해 주세요.

The repository is at htps : // 기주 b. 코 m / 병 g ゔ ぃ ぇ t / ba d パス ぉ rds - an d te-에 ST- with the data sets available.

There're loads of criteria for a good password. It's hard to define what is a good password. However, the National Institute of Standards and Technology (NIST) gives you a guide not to make a bad password from the cyber-security perspective.

# Importing the pandas module
import pandas as pd

# Loading in datasets/users.csv 
users = pd.read_csv("datasets/users.csv")

# Printing out how many users we've got
print(users.count())

# Taking a look at the 12 first users
print(users.head(12))

Passwords should not be too short

# Calculating the lengths of users' passwords
users['length'] = users['password'].str.len()

# Flagging the users with too short passwords
users['too_short'] = users['length'] < 8

# Counting and printing the number of users with too short passwords
print(users['too_short'].count())

# Taking a look at the 12 first rows
print(users.head(12))

Passwords shouldn't be Common passwords

Common passwords and combinations should be avoided as they could be expected. General common passwords include but not restricted to:

Passwords obtained from previous breach corpuses.

Dictionary words.

Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).

Context-specific words, such as the name of the service, the username, and derivatives thereof.

# Reading in the top 10000 passwords
common_passwords = pd.read_csv('datasets/10_million_password_list_top_10000.txt', header=None, squeeze=True)

# Taking a look at the top 20
print(common_passwords.head(20))

We fetch the common password list, then find out all the passwords fall in this category.

# Flagging the users with passwords that are common passwords
users['common_password'] = users['password'].isin(common_passwords)

# Counting and printing the number of users using common passwords
print(users['common_password'].count())

# Taking a look at the 12 first rows
print(users['common_password'].head(12))

Passwords should not be common passwords

By the same token, passwords shouldn't be common words. This may not apply to local Korean people, as the list we fetch here only contains popular English dictionary words.

# Reading in a list of the 10000 most common words
words = pd.read_csv('datasets/google-10000-english.txt', header=None, squeeze=True)

# Flagging the users with passwords that are common words
users['common_word'] = users['password'].str.lower().isin(words)

# Counting and printing the number of users using common words as passwords
print(users['common_word'].count())

# Taking a look at the 12 first rows
print(users['common_word'].head(12))

Passwords should not be your name

We should also flag passwords that contain users' names as a bad password practice.

# Extracting first and last names into their own columns
users['first_name'] = users['user_name'].str.extract(r'(\w+)', expand = False)
users['last_name'] = users['user_name'].str.extract(r'(\w+$)', expand = False)

# Flagging the users with passwords that matches their names
users['uses_name'] = (users['password']==(users['first_name']))|(users['password']==(users['last_name']))

# Counting and printing the number of users using names as passwords
print(users['uses_name'].count())

# Taking a look at the 12 first rows
print(users['uses_name'].head(12))

Passwords should not be repetitive

### Flagging the users with passwords with >= 4 repeats
users['too_many_repeats'] = users['password'].str.contains(r'(.)\1\1\1')

# Taking a look at the users with too many repeats
print(users['too_many_repeats'])

All together now!

Now let's combine the criteria listed above and filter out all the bad passwords.

# Flagging all passwords that are bad
users['bad_password'] = ( 
    users['too_short'] | 
    users['common_password'] |
    users['common_word'] | 
    users['user_name'] |
    users['too_many_repeats'])

# Counting and printing the number of bad passwords
print((users['bad_password']==True).count())

# Looking at the first 25 bad passwords
print(users['bad_password'].head(25))

This is how we can filter out the bad passwords in a data set. And similar approaches can be adopted for your current database if you already have some users and want to improve the security for their accounts.