Ability to Blacklist Password(s)

Description

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs. The National Institute of Standards and Technology (NIST) released guidance specifically recommending that user-provided passwords be checked against existing data breaches.

As a result, to offer better security, I would like to propose a feature which allows administrator(s) to upload a text file or enter into a text field a list of passwords which are not allowed due to data breaches. Examples of passwords that may populate this are Pwned Passwords, Rock You password list, and many others.

Proposal

Provide functionality to administrators to restrict what passwords can be provided by users via a password blacklist capability. Potentially include a common list such as Rock You by default.

Links / references

https://www.nist.gov/itl/tig/special-publication-800-63-3 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf — page 14 of paper, 23 of pdf https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ https://haveibeenpwned.com/passwords https://github.com/danielmiessler/SecLists/tree/master/Passwords

Documentation blurb

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs. The National Institute of Standards and Technology (NIST) released guidance specifically recommending that user-provided passwords be checked against existing data breaches. To enable Gitlab users to better secure their installation, we have integrated this recommendation into Gitlab allowing administrators to better protect their systems.

Overview

What is it? Security control to enhance the safety of user passwords

Why should someone use this feature? Companies which baseline against the NIST cybersecurity framework will want to comply with this goal to enhance security and receive higher score on an audit.

What is the underlying (business) problem? Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs. This can allow for attackers to steal proprietary and/or confidential data.

How do you use this feature?

1. Upload a wordlist to Gitlab community edition for blacklisted passwords
2. Gitlab will validate a user's password is not in the blacklist
3. User is more secure.

Use cases

Who is this for? Provide one or more use cases. This is for all companies looking to improve their security posture. Companies who work with sensitive data using on premise installations will benefit most from this.

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.

• Feature assurance
• Documentation
• Added to features.yml