This repository contains a database of password limits that different websites impose. The major focus is on limits that are arbitrary, indicate some underlying insecure design, or prevent the usage of strong passwords (e.g. because strong passwords crash the website).
This the overarching, ambitious goal of this project is to improve the state of internet password security by doing two things:
- Helping users pick the strongest passwords they are allowed to for websites
- Enabling public shaming of websites that don't get this right
Eventually it would be awesome if this data was used by password managers to generate even stronger passwords, without having to make conservative choices for broad compatibility. But the data included is designed to be flexible and detailed enough to enable all sorts of applications that haven't even been thought of yet.
Each entry in the dataset is represented in a JSON file in the data/
directory. Copyright is waived on this data (see "License" below), so you are welcome to do whatever you want with it. That being said, if you build tooling around this dataset - for example, to load it into a SQLite database so it can be efficiently queried, or a hall of shame page for websites with bad password practices - you are highly encouraged to submit either your tool itself or a link to your tool in a Pull Request.
More information on the format of each entry is forthcoming. In the meantime, you can use the (mostly-complete) JSON Schema in schema.json
as a reference point.
meta.json
contains meta-information about the dataset. Currently it has only one key, schema-version
, which will be increased every time the schema is updated in a backwards-incompatible way. It will not be changed if backwards-compatible additions are made.
Note that the addition of new enum values is not considered backwards-incompatible. Therefore, you should expect to handle the following:
- Unknown properties
- Unknown
issue_name
values - Unknown issue
type
values - Unknown issue
source
values (and therefore, unknownadditional_sources
values)
For most applications, it would probably be sensible to ignore anything you don't understand.
AJ Jordan alex@strugee.net
To the extent possible under law,
AJ Jordan
has waived all copyright and related or neighboring rights to
Password requirements dataset.
This work is published from:
United States.