from Hacker News

Recently I had an incident where a user reported that their account was hacked. It turned out that they've used their email (the same email they've used to sign up) as their password. This prompted me to invest into some stricter rules around what's allowed as password. However, everything that I found online had non-sensical requirements that make passwords safe but also impossible to remember. So I wrote something that's hopefully more sensible. Sharing here so it could benefit others:

https://gist.github.com/adaboese/bcde05aa8294924cc1f85718e197c024

TLDR

* fails if password contains the email

* fails if password is too short (<8)

* fails if password starts with a whitespace

* fails if password ends with a whitespace

* fails if password is not diverse enough (e.g. foofoofoo)

* fails if password only contains numbers

* fails if password contains common sequences (e.g. 123 or asdf) [this is really only so I could remove a bunch of passwords from the next dictionary-based step]

* fails if password contains common passwords (based on 10k most popular passwords)