OpenPasswordFilter icon indicating copy to clipboard operation
OpenPasswordFilter copied to clipboard

Published 20 hours ago verified publisher icon jephthai

Support for checking pwned passwords

Open brucejackson opened this issue 7 years ago • 2 comments

I found your project after reading about a recent upgrade to the Have I Been Pawned API by @troyhunt (https://haveibeenpwned.com/API/v2#PwnedPasswords). This update added an API call to check a password without sending the full password over the internet.

I am asking if you might consider expanding OpenPasswordFilter to add an optional check against the HaveIBeenPwned API. This might not be for everyone. A configuration file may be needed for OpenPasswordFilter to enable the feature and even set a threshold for the number of times a password must be pwned before it can’t be used.

Thanks for considering this idea. Bruce.

brucejackson avatar Feb 24 '18 16:02 brucejackson

Hi, I just added this over on my fork. Not currently checking the pwnage count as I'm not convinced that any number higher than 0 is acceptable, but feel free to give it a go and let me know what you think.

brockrob avatar Mar 13 '18 01:03 brockrob

FWIW, it's also practical to test passwords against a pre-processed compact local copy of HIBP, as I implemented as an optional feature in passwdqc.

solardiz avatar Mar 13 '23 03:03 solardiz