cybersecurity · beginner · ~15 min · safe pentest lab

Banned-Password Denylist Check

Implement a deny-by-default denylist check that validates untrusted string input (NULL, empty, oversized) before comparing, and understand banned-password lists as a defensive control against credential guessing.

Challenge

Banned-Password Denylist

Weak, widely-reused passwords like password or 123456 are the first thing a credential-stuffing attacker tries. A basic defensive control is a banned-password denylist: at signup or password-change time you refuse any password that appears in a known-bad list, forcing users away from trivially guessable secrets.

In this lab you implement that check as a pure function. The asset is the account whose password is being set; the threat is an attacker who guesses common passwords. The insecure assumption to avoid is trusting attacker-controlled input (the candidate password string) blindly: it may be NULL, empty, or arbitrarily long, and your comparison must never read past its bytes.

Implement int is_banned_password(const char *pw) so it returns 1 if and only if pw exactly matches one of the fixed banned passwords below, and 0 otherwise. Deny by default: any input you cannot positively confirm as banned is treated as allowed (0). This operates only on a fixed array baked into the harness — never a live target, network, or filesystem.

Banned list: password, 123456, 12345678, qwerty, abc123, letmein, admin, iloveyou.

Edge cases

  • NULL input must return 0 (no dereference).
  • Empty string "" is not on the list, so 0.
  • Matching is exact and case-sensitive: Password and password1 are allowed.
  • Very long inputs must be handled safely without overreads.

Input format

A single C string pointer pw (may be NULL, empty, or arbitrary length).

Output format

An int: 1 if pw exactly matches a banned password, otherwise 0.

Constraints

C11, no dynamic allocation required. The denylist is fixed and case-sensitive. Do not modify pw. NULL must yield 0. Comparison must be exact (full-string), not prefix or substring.

Starter code

int is_banned_password(const char *pw){
    /* TODO: return 1 if pw exactly matches one of the banned passwords
       (password, 123456, 12345678, qwerty, abc123, letmein, admin, iloveyou),
       else 0. NULL must return 0 and you must not dereference it.
       This stub is intentionally wrong and will fail the tests. */
    (void)pw;
    return -1;
}

Common mistakes

Dereferencing pw before the NULL check; using strncmp with a fixed length so that a prefix like 'password1' wrongly matches 'password'; doing case-insensitive comparison and banning legitimate mixed-case passwords; using strstr and matching substrings; forgetting an entry in the denylist.

Edge cases to handle

NULL pointer -> 0; empty string -> 0; case variations (Password vs password) -> 0; prefixes/superstrings (password1) -> 0; very long strings -> 0 with no buffer overread; exact banned match -> 1.

Background lessons

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.