Consider using unpwn to reduce API calls

michaelbanfield / devise-pwned_password

Devise extension that checks user passwords against the PwnedPasswords dataset

https://rubygems.org/gems/devise-pwned_password

MIT License

156 stars 29 forks source link

Consider using unpwn to reduce API calls #20

Open eliotsykes opened 5 years ago

eliotsykes commented 5 years ago

Consider using the unpwn gem to check passwords locally https://github.com/indirect/unpwn

Unpwn checks passwords locally against the top one million passwords, as provided by the nbp project. Then, it uses the haveibeenpwned API to check proposed passwords against the largest corpus of publicly dumped passwords in the world.

As a bonus, if the haveibeenpwned API is down, at least there's still some checks applied.

TylerRick commented 4 years ago

Not a bad idea!

Too bad it would render use of https://github.com/philnash/pwned library redundant. I feel like pwned is a more solid library, and certainly seems more configurable, so I'd personally prefer to keep using it (but my bias may be unfounded).

It seems pretty unlikely that the haveibeenpwned API would go down for a significant length of time...