Skip to content

Update password-rules.json #896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update password-rules.json #896

wants to merge 2 commits into from

Conversation

tibor
Copy link

@tibor tibor commented May 1, 2025

Overall Checklist

for password-rules.json

  • The given rule isn't particularly standard and obvious for password managers
  • Generated passwords have been tested from this rule using the Password Rules Validation Tool
  • Information has been included about the website's requirements (eg. screenshots, error messages, steps during experimentation, etc.)
  • Screenshot 2025-05-01 at 23 37 56
  • The PR isn't documenting something that would be a common practice among password managers (e.g. minimal length of 6)

for change-password-URLs.json

  • There is no Well-Known URL for Changing Passwords (https://example.com/.well-known/change-password)
  • The URL either makes the experience better or no worse than being directed to just the domain in a non-logged-in state

for shared-credentials.json

  • There's evidence the domains are currently related (SSL certificates, DNS entries, valid links between sites, legal documents etc.)
  • If using shared, the new group serves login pages on each of the included domains, and those login pages accept accounts from the others. (For example, we wouldn't use a shared association from google.co.il to google.com, because google.co.il redirects to accounts.google.com for sign in.)
  • If using from and to, the new group, the from domain(s) redirect to the to domain to log in.

for shared-credentials-historical.json

Screenshot 2025-05-01 at 23 37 56
  • You believe that the domains were associated at some point in the past and can explain that relationship

@taylortrimble
Copy link
Contributor

taylortrimble commented May 6, 2025
edited
Loading

I'm not a maintainer @tibor but I have a suggestion:

The only difference between the symbol list you provided and special is that your list, and the list from ggpoker.de, is missing space. Can you try a password where the only special character provided is space? A password like:

3Zc8qyc ccHhfvR0Wuya

If it's acceptable to the site, then the correct rule would be minlength: 8; maxlength: 20; required: lower; required: upper; required: digit; required: special;. From there, I think it's up to the maintainers if this is quirky based on the maxlength: 20 since the rest is pretty standard fare for a password manager.

@rmondello
Copy link
Contributor

Two tests are failing due to a bad escape. @tibor Please fix and then we’ll try to re-review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tibor @taylortrimble @rmondello