github.com/Azareal/Gosora@v0.0.0-20210729070923-553e66b59003/docs/weak_passwords.md (about) 1 # Weak Passwords 2 3 For configuring the list of weak passwords and weak password detection rules, we have `config/weakpass.json` which overwrites the default values defined in `config/weakpass_default.json` 4 5 There are two sections: `contains` and `literal`. `contains` scans the password to see if a specified piece of text is in it and `literal` checks if the password matches the specified rule exactly (with some exceptions). 6 7 All passwords are converted to lowercase form before either scanner is ran on them to detect common tricks like capitalizing the first letter. 8 9 `contains` is slower and may not scale with a large number of rules, but it is more effective at finding certain patterns which a password cracker could exploit to crack someone's password. 10 11 `literal` is very inflexible and only matches rules literally. One exception is that it will remove numbers from the end of the password running the rule.