Closed RiseofRice closed 1 week ago
To determine if a user's password has been compromised, we can utilize the "Have I Been Pwned" API. The specific endpoint we will use is:
GET /range/{5digits from sha1 string of the password}
Generate SHA-1 Hash: First, we need to compute the SHA-1 hash of the user’s password. This can be done using any SHA-1 hashing library available in your programming language of choice.
Extract Prefix: From the resulting SHA-1 hash, take the first five characters. This prefix will be used to query the API.
API Call: Make a request to the API using the following format:
GET https://api.pwnedpasswords.com/range/{prefix}
Here, {prefix}
is the first five characters of the SHA-1 hash.
Response Handling:
The API will return a text/plain
response containing a list of SHA-1 suffixes for all passwords that match the provided prefix, along with the number of times each password has been found in data breaches, formatted like this:
6F8DB5994390216022D7CBA6B6B0B3A7D2C8007E:3
7C6A180B36896A0A8C02787EEA8B62A2E8A157A2:5
...
Search for the Suffix: To check if the user's password has been compromised, extract the last 35 characters of the SHA-1 hash (the suffix). Search through the API response for this suffix.
The API is designed to ensure user privacy. By using only the prefix of the SHA-1 hash for querying, it avoids sending the full hash or the plaintext password over the network.
By implementing this approach, we can effectively check whether a user's password has been involved in data breaches while maintaining their privacy.
Feel free to let me know if you need further clarification or assistance!
This response clearly outlines the steps for using the API, addresses privacy concerns, and maintains a structured format for easy reading.
💡 Feature Request: Comprehensive Password Evaluation API
Description:
We aim to implement a new API route that provides a comprehensive evaluation of user passwords. This route will combine the following three main checks:
📝 ToDos:
[x] Implement a single route that performs the following checks:
[x] Create an HTML render template to display the password evaluation results to the user.
📚 Research Details:
Password Strength Validation:
zxcvbn
can be used to estimate the strength of the password.Pwned Password Check:
⚙️ Technical Details:
POST /check-password (combined route)
{ "password": "user_password_here" }
HTML Template to display results: Create a user-friendly HTML page that informs the user about the strength, commonality, and pwned status of their password, along with suggestions for improvement if needed.
🎯 Acceptance Criteria:
/check-password
route should provide a comprehensive evaluation of a password.🕵️♂️ References: