Add haveibeenpwned password check#2642
Closed
AlexProgrammerDE wants to merge 4 commits intoAuthMe:masterfrom
Closed
Add haveibeenpwned password check#2642AlexProgrammerDE wants to merge 4 commits intoAuthMe:masterfrom
AlexProgrammerDE wants to merge 4 commits intoAuthMe:masterfrom
Conversation
Author
|
@Xephi hello, what is the reason for you closing my pull request? I still want this feature shipped. |
Author
|
@Xephi I can redo this PR if the code wasn't to your liking. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds a haveibeenpwned.com password check before allowing a user to register with a password.
This will hopefully force users to not use weak passwords, which are easy to crack due to comparing the stored hash with password lists. The password is sent hashed and only the first five characters of the hash to haveibeenpwned. Then the response is validated by AuthMe on the server, which is going through ~500 hashes returned by the API. So this is a very secure way of checking for how secure a password is.
References:
It appears that there is a paid API, but from what I've seen, it is only for account breaches where you search by E-Mail, not by password. So I don't think there will be any rate limits this hits.
My discord is Pistonmaster#0001 (In AuthMe support discord server), let me know if there should be something changed here.