-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
incorporate haveibeenpwned.com #186
base: main
Are you sure you want to change the base?
Conversation
How does this behave if used in a restricted (limited outbound network) environment? |
I think this is a cool feature, but since its sending out password to via a library to a third party, I'm not feeling very comfortable. I'd like to have quite a few voices to weigh in about this feature in general.
|
I don't feel that this description does justice to what is actually happening. If you take a look at the library, it makes use of haveibeenpwned.com's k-anonymity. In other words, neither the password, nor even the complete hash ever get transmitted anywhere. Only prefixes of the first 5 playes of the SHA-1 hash do. The reply is then a bucket of suffixes with an amount attached to each of them, to be locally checked. The amount is then returned. We'd error on anything > 0.
I think as an opt-in option, that would be okay.
I wouldn't think that necessary. We already compare against a subset of that now, without explicitly making the user aware that the password will be checked.
This is what I had in mind, yes. I am also open to other approaches, though.
My intuition would be that if the feature is enabled, but the service can't be reached, it defaults to the usual check against common passwords we already have. |
Wieeeeeeeee! Then yes yes yes! :D |
This would close #71 if we decide to go forward with this. I'd like to hear your thoughts on this, @consideRatio. The code itself is simple enough, just a few lines and a library call. But of course we're introducing a dependency not only on the library, but also on haveibeenpwned.com for password validation.
On the other hand, I do think it will give users more secure passwords because this catches a lot of passwords that our static text file can't and doesn't.
What do you think?