integrate with https://haveibeenpwned.com/ #71
Labels
enhancement
New feature or request
Milestone
Comments
|
I still think is a good idea, but what form do you think this should take, @Carreau? |
|
There is an API in us you can query you send the first few digits of the
md5 hash and it sends you back all md5 of leaked password. This way you can
purely in js make the password fields red if the currently typed password
is leaked. I think that's enough.
…On Wed, May 5, 2021, 12:35 Jonas Betzendahl ***@***.***> wrote:
I still think is a good idea, but what form do you think this should take,
@Carreau <https://github.com/Carreau>?
Alert when someone's email is in a breach? Someone's password? Both?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#71 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACR5TZYWX7UFJ4VSYS6KBLTMGMZZANCNFSM4G64DPJQ>
.
|
|
I think I'd like to get this into the 1.1 release. We already have a function that checks if a password is too common. Currently that just looks up a local txt file with common passwords, I could easily see that it tries to talk to the API first and only uses the txt file as a fallback. We probably want to enforce entirely fresh passwords that have not been included in any leak, and not just fewer than |
This was referenced Nov 2, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See also https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
It provide at least js API that are privacy protecting and can indicate if password is in already leaked password.
That can (and should?) also be triggerd on each login, instead of only when password are set, in case the pwd is leaked after bing set.
The text was updated successfully, but these errors were encountered: