usermin icon indicating copy to clipboard operation
usermin copied to clipboard
verified publisher icon webmin

Feature request :: change pass :: check against haveibeenpwned.com

Open adriansev opened this issue 3 months ago • 4 comments

Hi! Would be possible that for changing password to check it against haveibeenpwned.com ? Unfortunately i have no perl knowledge and i cannot contribute directly but if it helps this is the python version of checking: https://github.com/adriansev/bin-scripts/blob/master/check_pass_pwned

Thanks a lot!

adriansev avatar Sep 30 '25 05:09 adriansev

Interesting idea ... although I feel like actually it would be more useful to do this check against existing accounts, rather than when the password is changed.

jcameron avatar Sep 30 '25 21:09 jcameron

well, it's not possible as the input for checking is the sha1 while what is stored in passwd is sha512. the leaked password are in clear text, so the usage of sha1 is the minimum thing to make the checking faster (i suppose) also allowing to make the checking local (by downloading all hashes with the given prefix)

adriansev avatar Oct 01 '25 05:10 adriansev

Hmm ... in that case, checking at password change time is less valuable since it doesn't happen very often.

jcameron avatar Oct 01 '25 23:10 jcameron

Hmm ... in that case, checking at password change time is less valuable since it doesn't happen very often.

I would say is valuable enough to check if the password is already in leak passwords databases or in rainbow tables.. and the password change can happen when you increase the security of the password or one want to make sure that the password is somewhat safe .. Nextcloud software have this nice trick implemented for it's users, i thought that it may be useful also for usermin, as i did not find a way to implement this at pam level.

adriansev avatar Oct 02 '25 05:10 adriansev