How often is the Password Dictionary updated?

cmcgowan · December 8, 2022, 11:01pm

Documentation for the Password Dictionary feature links to a non-Auth0 Github page when mentioning the default list: SecLists/10k-most-common.txt at master · danielmiessler/SecLists · GitHub

From the history, it appears that this list has mostly gone without update for 8 years.

Does Auth0 ever update the default list of the Password Dictionary? If so, how often is the list updated?

dan.woda · December 9, 2022, 10:04pm

Hi @cmcgowan,

I’ll reach out to the team on this and report back. Thanks!

cmcgowan · December 20, 2022, 3:54pm

Hi @dan.woda, I appreciate the team taking the time to look into this. Just wanting to follow up since it has been a few days. Do you have any updates, or an idea of when the team might have an update?

dan.woda · December 27, 2022, 3:14pm

Hi @cmcgowan,

My contact for this will be back after the holidays, I’ll reach out again when they return. Thanks.

dan.woda · January 5, 2023, 2:26pm

Hi @cmcgowan,

Thanks for your patience on this.

The password dictionary isn’t updated at a regular cadence and isn’t updated very often. This is due in part to the fact that there is a finite list of these simple passwords.

If you have a specific use case regarding this we’d love to hear it.

cmcgowan · January 5, 2023, 5:05pm

Thank you Dan, I appreciate the knowledge. I figured that was the case, but it is nice to get confirmation.

I’ve been in email discussions with our Technical Account Manager about our use case, but I will give a quick summary here in case others with a similar situation find this public thread.

My company is pursuing a HITRUST R2 certification and need to meet a security control with this language:

The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly)

Initially I thought we could meet this using Password Dictionary, combined with its capability to add custom entries. But the custom entries capability was considered insufficient to meet the requirement for recurring updates on its own, due to its very limited size (max 200).

After discussions with Auth0 TAM, the better solution seems to be combining Password Dictionary and the Breached Password Detection feature. The breached password detection list is updated more frequently (though I am still trying to get more info about that cadence as well for our audit).

Overall I think our use case is met, and I just had difficulty with the documentation. Reflecting back, I think a few documentation additions would have helped me a lot.

Password Dictionary doc calls out the 200 entry limit for the Additional Dictionary Entries. The UI screenshot in the doc shows it, but neither the text nor my actual Tenant Dashboard UI mentions it.
Password Dictionary doc calls out the (lack of) update cadence.
Some sort of link between the docs for Password Dictionary and Breached Password Detection. These seem highly related to me, but they are discussed in totally separate sections of the documentation website (I did not know about Breached Password Detection until the TAM team told me, I never would have discovered that feature otherwise).
Breached Password Detection doc calls out the update cadence. Currently it mentions the detection time, but what I need is evidence that the password list itself is updated regularly.

dan.woda · January 5, 2023, 7:06pm

Thanks for the added detail! I passed the info along to our PMs.

system · March 28, 2023, 1:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.