integrate with https://haveibeenpwned.com/

[Carreau]

See also https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

It provide at least js API that are privacy protecting and can indicate if password is in already leaked password.

That can (and should?) also be triggerd on each login, instead of only when password are set, in case the pwd is leaked after bing set.

[lambdaTotoro]

I still think is a good idea, but what form do you think this should take, @Carreau? Alert when someone's email is in a breach? Someone's password? Both?

[Carreau]

There is an API in us you can query you send the first few digits of the md5 hash and it sends you back all md5 of leaked password. This way you can purely in js make the password fields red if the currently typed password is leaked. I think that's enough.

On Wed, May 5, 2021, 12:35 Jonas Betzendahl @.***> wrote:

I still think is a good idea, but what form do you think this should take, @Carreau https://github.com/Carreau? Alert when someone's email is in a breach? Someone's password? Both?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/nativeauthenticator/issues/71#issuecomment-832954977, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACR5TZYWX7UFJ4VSYS6KBLTMGMZZANCNFSM4G64DPJQ .

[lambdaTotoro]

I think I'd like to get this into the 1.1 release. We already have a function that checks if a password is too common. Currently that just looks up a local txt file with common passwords, I could easily see that it tries to talk to the API first and only uses the txt file as a fallback.

We probably want to enforce entirely fresh passwords that have not been included in any leak, and not just fewer than n times. We might need to be more specific with out error messages though.