There is one valid rule for testing for bad passwords: IS IT KNOWN?
The combination of characters, length, or rotation mean nothing if a password is on a known list. It should be absolutely mandatory for all password-authenticated service providers to test against such lists when accounts and passwords are registered.
You should be talking to your bank, other financial institution(s), ISP or broadband providers, online services (Facebook, Google, Twitter, etc.), governmental offices, and asking them, pointedly, whether they are doing this, and if not, why not.
You should be contacting your legislative representation at city, regional, state, and national levels and requesting that such procedures be adopted into statutes and regulations.
I have been fighting this particular fight, inside and outside tech and service companies, for the past two decades. I've mostly lost. I'm getting tired of losing.
Note that the link is to the project page and not directly to the full list, though that's reachable from the page.
NB: Troy Hunt largely dismisses this disclosure as old and existing passwords, 99.6% included in his own HaveIBeenPwned collection, based on a sampling of 1,000 entries.
The combination of characters, length, or rotation mean nothing if a password is on a known list. It should be absolutely mandatory for all password-authenticated service providers to test against such lists when accounts and passwords are registered.
You should be talking to your bank, other financial institution(s), ISP or broadband providers, online services (Facebook, Google, Twitter, etc.), governmental offices, and asking them, pointedly, whether they are doing this, and if not, why not.
You should be contacting your legislative representation at city, regional, state, and national levels and requesting that such procedures be adopted into statutes and regulations.
And yes, there are space-efficient ways of checking for matches, look up Bloom Filters: https://en.wikipedia.org/wiki/Bloom_filter
I have been fighting this particular fight, inside and outside tech and service companies, for the past two decades. I've mostly lost. I'm getting tired of losing.
Note that the link is to the project page and not directly to the full list, though that's reachable from the page.