Preliminary plans for vFuture

[akamsteeg]

Some preliminary plans for what comes next after v7.x:

• Drop NETFX support and unify the TFM on .NET 6 (#68)
• Move to records for models with C#11 features like init required properties (#48)
• Get rid of preprocessor directives (#if...#else) for old .NET Standard 2.0 support
• Use ValueTask instead of Task

[MichaelGrafnetter]

Hello @akamsteeg , I was considering to integrate this nice NuGet package into my DSInternals PowerShell Module to enable online Active Directory password auditing.

I wonder if you have any plans on supporting NTLM hash k-anonymity lookups (byte[16] as method parameter). This is the format in which hashes are stored by Windows in central Active Directory databases and local SAM hives.

The NETFX support is crucial for me, as I would like to continue supporting PowerShell 5, which comes with Windows 11 and is built on .NET Framework.

[akamsteeg]

@MichaelGrafnetter : Nobody ever requested it before and that's the only reason why it's not in there. :D So, you need an overload of IsPwnedPasswordAsync() that accepts a byte[] instead of the full password string, correct? Are those 16 bytes the full hash, so can I safely convert that to a string and then send the first five characters the API needs?

[MichaelGrafnetter]

Yes, @akamsteeg , your assumptions are correct. The interface could look similarly to this:

Task<bool> IsPwnedPasswordAsync(byte[] passwordHash);
Task<bool> IsPwnedPasswordAsync(byte[] passwordHash, CancellationToken cancellationToken);

The code could also theoretically detect if the hash is 16B (NTLM) or 20B (SHA1). That would affect the KAnonimityRemainderLength, which is currently defined as a constant.

BTW, I could also imagine the k-anonymity to be an optional parameter:

public const int DefaultKAnonymity = 5; // Constants.cs ?
Task<bool> IsPwnedPasswordAsync(string password, int kAnonymity = DefaultKAnonimity);
Task<bool> IsPwnedPasswordAsync(string password, int kAnonymity = DefaultKAnonimity, CancellationToken cancellationToken);
Task<bool> IsPwnedPasswordAsync(byte[] passwordHash, int kAnonymity = DefaultKAnonimity);
Task<bool> IsPwnedPasswordAsync(byte[] passwordHash, int kAnonymity = DefaultKAnonimity, CancellationToken cancellationToken);

[akamsteeg]

@MichaelGrafnetter Thank you very much for your feature request and the detailed answer. I created https://github.com/akamsteeg/AtleX.HaveIBeenPwned/issues/84 to track this feature request. I've now labeled it for vFuture, but I see possibilities to add it to a V7.* version in a non-breaking way. I need to investigate that further though to make sure I don't break anything for existing users.

Regarding your comment about dropping NETFX support, I've received more feedback about that and currently it looks like removing a NETFX compatible target is not a good idea for the forseeable future. So, taking a dependency on this lib should be safe for you. Can you please leave a comment on https://github.com/akamsteeg/AtleX.HaveIBeenPwned/issues/68 that you need NETFX suppor so you'll get notified when that issue is updated.