Closed leifdreizler closed 1 year ago
A wrapper library which calls zxcvbn and then HIBP would make more sense than integrating the two directly (imo). I'd venture that someone out there must have built such a thing (whether as a library or just in their application code) - anyone want to open source it (and link from this issue)?
Edit: oops, I thought I was in the KeepasXC repo, sorry if this comes out as off-topic
Janek Bevendorff @phoerious addressed this: https://keepassxc.org/blog/2018-02-24-pwned-database/
On Keepass I use the (open-source) HIBPOfflineCheck plugin that tries to match the SHA1 against a downloaded database dump at https://haveibeenpwned.com/Passwords
It has the benefit of not supplying the hash to an external API but eats quite a lot of space (22+ GiB).
Janek Bevendorff @phoerious addressed this: https://keepassxc.org/blog/2018-02-24-pwned-database/
Off topic disagreement: HIBP integration is useless only if you are building a password manager. As the article points out HIBP is not very effective for measuring password strength, but combined with zxcvbn in a login form It can detect reused passwords, or common passwords that are not in the zxcvbn list. It's pretty useful
If anyone is going to create a wrapper, this might be a useful reference implementation: https://github.com/jamiebuilds/havetheybeenpwned/blob/master/lib/implementation.js
Feature Request An optional flag for running a given password against the HIBP API. Presence of the password in the HIBP database would result in a lowered score and a custom message. To save on requests to the HIBP API it could run after the basic checks have completed—no need to run "password1!" against HIBP. Requests to the API could fail silently.