haveibeenpwned.com integration

[ghost]

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Yes, the problem of people using weak or used passwords for their account.

Describe the solution you'd like A clear and concise description of what you want to happen. AuthMe checking if the password was leaked on haveibeenpwned.com. If it was, warn the user or disallow registeration, configurable in the config.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. None

Additional context Add any other context or screenshots about the feature request here. None

[krusic22]

The API looks simple enough. Hash the password with SHA-1, send the first 5 chars to the API, check the response against the full hash. Best practice of running this would be when users register and/or change their password, to prevent API flood. As the API is limited to 1.5s per request per IP. There is also an issue with sharing parts of the users passwords with a third party, despite it being somewhat anonymous.

[ghost]

There is also an issue with sharing parts of the users passwords with a third party, despite it being somewhat anonymous.

I think a warning should be simple enough to make things not against the law (GDPR and related)?

[krusic22]

Should be fair enough.