search

jephthai / OpenPasswordFilter

An open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
GNU General Public License v2.0
385 stars 101 forks source link

Support for checking pwned passwords #19

Open brucejackson opened 6 years ago

brucejackson commented 6 years ago

I found your project after reading about a recent upgrade to the Have I Been Pawned API by @troyhunt (https://haveibeenpwned.com/API/v2#PwnedPasswords). This update added an API call to check a password without sending the full password over the internet.

I am asking if you might consider expanding OpenPasswordFilter to add an optional check against the HaveIBeenPwned API. This might not be for everyone. A configuration file may be needed for OpenPasswordFilter to enable the feature and even set a threshold for the number of times a password must be pwned before it can’t be used.

Thanks for considering this idea. Bruce.

brockrob commented 6 years ago

Hi, I just added this over on my fork. Not currently checking the pwnage count as I'm not convinced that any number higher than 0 is acceptable, but feel free to give it a go and let me know what you think.

solardiz commented 1 year ago

FWIW, it's also practical to test passwords against a pre-processed compact local copy of HIBP, as I implemented as an optional feature in passwdqc.