💡 Feature Request: Comprehensive Password Evaluation API

[RiseofRice]

---

💡 Feature Request: Comprehensive Password Evaluation API

Description:

We aim to implement a new API route that provides a comprehensive evaluation of user passwords. This route will combine the following three main checks:

1. Password strength validation.
2. Checking if the password has been compromised (Pwned) in a data breach.

---

📝 ToDos:

• [x] Implement a single route that performs the following checks:

  • Password strength: Assess the password's strength based on criteria such as length, use of uppercase/lowercase letters, numbers, and special characters.
  • Pwned status: Use the "Have I Been Pwned" API to check if the password has been compromised in a data breach.

• [x] Create an HTML render template to display the password evaluation results to the user.

  • The page should inform users about their password strength, provide suggestions for improvement, indicate if the password is common, and reveal its Pwned status.

---

📚 Research Details:

1. Password Strength Validation:

   • A strong password should contain at least 8-12 characters, including a mix of uppercase and lowercase letters, numbers, and special symbols.
   • Tools such as Dropbox’s zxcvbn can be used to estimate the strength of the password.

2. Pwned Password Check:

   • Use the "Have I Been Pwned" API to check whether the password has been part of any known data breaches.

---

⚙️ Technical Details:

• POST /check-password (combined route)

  • Request Body: { "password": "user_password_here" }
  • Response:

    {
    "strength": "strong" | "weak",
    "reasons": ["reason 1", "reason 2"],
    "is_common": true | false,
    "pwned": true | false
    }

• HTML Template to display results: Create a user-friendly HTML page that informs the user about the strength, commonality, and pwned status of their password, along with suggestions for improvement if needed.

---

🎯 Acceptance Criteria:

• The /check-password route should provide a comprehensive evaluation of a password.
• The HTML page should clearly inform users about their password's strength, whether it’s commonly used, and if it’s been compromised in a data breach.
• The API must be secure and efficient, adhering to best practices (e.g., HTTPS for secure data transmission).

---

🕵️‍♂️ References:

• Have I Been Pwned API
• zxcvbn Password Strength Estimator

---

[RiseofRice]

---

Using the "Have I Been Pwned" API for Password Checks

To determine if a user's password has been compromised, we can utilize the "Have I Been Pwned" API. The specific endpoint we will use is:

GET /range/{5digits from sha1 string of the password}

Overview of the Process:

1. Generate SHA-1 Hash: First, we need to compute the SHA-1 hash of the user’s password. This can be done using any SHA-1 hashing library available in your programming language of choice.

2. Extract Prefix: From the resulting SHA-1 hash, take the first five characters. This prefix will be used to query the API.

3. API Call: Make a request to the API using the following format:

   GET https://api.pwnedpasswords.com/range/{prefix}

   Here, {prefix} is the first five characters of the SHA-1 hash.

4. Response Handling: The API will return a text/plain response containing a list of SHA-1 suffixes for all passwords that match the provided prefix, along with the number of times each password has been found in data breaches, formatted like this:

   6F8DB5994390216022D7CBA6B6B0B3A7D2C8007E:3
   7C6A180B36896A0A8C02787EEA8B62A2E8A157A2:5
   ...

5. Search for the Suffix: To check if the user's password has been compromised, extract the last 35 characters of the SHA-1 hash (the suffix). Search through the API response for this suffix.

   • If the suffix is found in the response, the password has been pwned, and the accompanying number indicates how many times it has been exposed.
   • If the suffix is not present, the password has not been compromised.

Privacy Consideration:

The API is designed to ensure user privacy. By using only the prefix of the SHA-1 hash for querying, it avoids sending the full hash or the plaintext password over the network.

---

By implementing this approach, we can effectively check whether a user's password has been involved in data breaches while maintaining their privacy.

Feel free to let me know if you need further clarification or assistance!

---

This response clearly outlines the steps for using the API, addresses privacy concerns, and maintains a structured format for easy reading.