From 470003665baf5b2b0d814abfa2da556cdc18febc Mon Sep 17 00:00:00 2001 From: Azareal Date: Fri, 19 Jun 2020 13:18:44 +1000 Subject: [PATCH] clarify how the weak password scanner works --- docs/weak_passwords.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/weak_passwords.md b/docs/weak_passwords.md index 3f8f1c93..c01a5d12 100644 --- a/docs/weak_passwords.md +++ b/docs/weak_passwords.md @@ -4,6 +4,8 @@ For configuring the list of weak passwords and weak password detection rules, we There are two sections: `contains` and `literal`. `contains` scans the password to see if a specified piece of text is in it and `literal` checks if the password matches the specified rule exactly (with some exceptions). +All passwords are converted to lowercase form before either scanner is ran on them to detect common tricks like capitalizing the first letter. + `contains` is slower and may not scale with a large number of rules, but it is more effective at finding certain patterns which a password cracker could exploit to crack someone's password. -`literal` is very inflexible and only matches rules literally. With two exceptions, the password fed to it is in lowercase form, so common variants like capitalizing the first letter will be detected. Sticking a number at the end of the common literal will also be detected. +`literal` is very inflexible and only matches rules literally. One exception is that it will remove numbers from the end of the password running the rule.