User system: Check new passwords against haveibeenpwned.com

[PascalReintjens]

Whenever a new password is set, it should be checked against the haveibeenpwned.com Pwned Passwords list and rejected if the password appeared in a data breach: https://haveibeenpwned.com/Passwords

Detailed information (including API endpoint and implementation suggestions) here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

[JuKu]

Does this mean that we have to send the password in plaintext to this api? Or only a hash?

-----Original-Nachricht----- Betreff: [JuKu/JuKuCMS] User system: Check new passwords against haveibeenpwned.com (#34) Datum: 2018-03-19T03:55:41+0100 Von: "Pascal Reintjens" notifications@github.com An: "JuKu/JuKuCMS" JuKuCMS@noreply.github.com

Whenever a new password is set, it should be checked against the haveibeenpwned.com Pwned Passwords list and rejected if the password appeared in a data breach: https://haveibeenpwned.com/Passwords https://haveibeenpwned.com/Passwords Detailed information (including API endpoint and implementation suggestions) here: https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/JuKu/JuKuCMS/issues/34 , or mute the thread https://github.com/notifications/unsubscribe-auth/ABFdfkRpKweo13vd6aakJ3rlBQ6QfJQZks5tfx4mgaJpZM4SvhoJ .

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/JuKu/JuKuCMS","title":"JuKu/JuKuCMS","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/JuKu/JuKuCMS"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"User system: Check new passwords against haveibeenpwned.com (#34)"}],"action":{"name":"View Issue","url":"https://github.com/JuKu/JuKuCMS/issues/34"}}} 

<div style=\"border:0;border-bottom:1px solid black;width:100%;\"> Gesendet mit Telekom Mail https://t-online.de/email-kostenlos - kostenlos und sicher für alle!

[PascalReintjens]

Does this mean that we have to send the password in plaintext to this api? Or only a hash?

No, we don't have send the password or a full SHA-1 hash to haveibeenpwned.com, by using k-Anonymity instead we only need to send the first 5 characters of the SHA-1 hash, making it impossible for haveibeenpwned.com to reverse engineer the password.

Accidently I originally included the wrong (outdated) link in the issue description, this one should describe k-Anonymity: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

[JuKu]

Interesting! Then we can implement it, but we should provide it as a plugin, so user can also use another service.

[JuKu]

@PascalReintjens has send me a link: https://github.com/nextcloud/password_policy/pull/60/