base-zero
commented
3 years ago @thyseus I would highly recommned that you read over the code in Laravel that is used for this feature as nothing is sent in plain-text ! I would also recommned that your read the API docs for haveibeenpwned and you will see that security is the most important thing for this API and that its not as simple as sending hashs out to a 3rd party.
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
Please read the docs and code to see how the system works and how security is bulit into the desgin of the system from the start, before scaremongering with incorrect comments.
thyseus
lk77
Please remove the new
uncompromised()feature introduced in https://github.com/laravel/framework/pull/36960 out of the laravel framework core. It is absolutely irresponsible to send the plain-text password, or even hashed password of any user registering to a third party service most proably without letting him know. I feel fine if there is a third party extension, but this potentially malicious design behaviour should not be promoted inside the laravel core.Of course a developer is not forced to use this feature inside his application, but this behaviour should not be promoted. Please keep the way of handling of passwords agnostic and secure.