-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check passwords against HaveIBeenPwned #12716
Conversation
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: mrsdizzie <info@mrsdizzie.com>
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Signed-off-by: jolheiser <john.olheiser@gmail.com>
@mrsdizzie Done. I also added the link to the admin command. |
Codecov Report
@@ Coverage Diff @@
## master #12716 +/- ##
==========================================
- Coverage 43.25% 43.24% -0.01%
==========================================
Files 648 649 +1
Lines 71928 72000 +72
==========================================
+ Hits 31111 31137 +26
- Misses 35775 35819 +44
- Partials 5042 5044 +2
Continue to review full report at Codecov.
|
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Signed-off-by: jolheiser <john.olheiser@gmail.com>
@lafriks Let me know if you still think they should be changed, but for the moment I've resolved the issues as HIBP capitalizes the URL part. |
lgtm -- also wouldn't mind this being in 1.13 as a better alternative to the password complexity feature : ) |
This PR implements a way to check a password against HaveIBeenPwned.
Something to note, I made a decision to add padding to all requests for extra security. Since we are using the service solely to check passwords for a user (vs some automated security script), the added overhead should be fairly negligible.
You can read more about HaveIBeenPwned's padding here: https://haveibeenpwned.com/API/v3#PwnedPasswordsPadding