Closed zee0 closed 6 years ago
Checking that database is not of much use if you are using a password manager. See our blog post about it: https://keepassxc.org/blog/2018-02-24-pwned-database/
@phoerious: with all due respect to your well written blog post, your point number 2 is exactly why we need this:
- You are using services that got compromised and didn’t hash their passwords properly (stop using them!)
this assumes that you're informed when a password gets compromised. we all know that responsible and timely disclosure is anything but the norm.
i'm signed up with haveibeenpwned for half a dozen domains that i administer. i can tell you that frequently an email from troy's system is the first notice i get that an account has been compromised.
You should read the last part, too. There is really no need to check the password if instead you could check the username. In fact, checking the username is far more likely to give you a positive result with less risk involved.
Enhancement Request
check passwords against the pwned passwords database via the API. more info here: https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
Current Behavior
if you're currently using a password that generates a hash that's in the pwned passwords database it's utterly useless for authentication.
Possible Solution
getting an alert that hashes of passwords in the keepass database are in the pwned passwords database would alert users to change them immediately.
Implementation
Context
while generating long passwords via the generator probably assures their uniqueness, there is still a small possibility that they are in the pwned passwords database. additionally if users do not use the password generator, but use keepass simply as a grey matter backup [and consequently have less random passwords] it would be advantageous for them to know if a password was pwned.