HIBP implementation (password check)

[LawnSounds]

Along the settings to require certain password characteristics (eg. length and such) it would be cool to implement this too to check for previous exploited passwords:

https://haveibeenpwned.com/API/v2#PwnedPasswords

[dirigit]

From Troy Hunt's blog who runs service mentioned:

"It goes without saying (although I say it anyway on that page), but don't enter a password you currently use into any third-party service like this! I don't explicitly log them and I'm a trustworthy guy but yeah, don't. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it's not one they should be using any more. Mind you, someone could actually have an exceptionally good password but if the website stored it in plain text then leaked it, that password has still been "burned"."

[csrichter]

using GET https://api.pwnedpasswords.com/range/{first 5 hash chars} you can hash the users password locally, only send the first five characters of the hash to HIBP and locally check for the full hash in the results. In this case the external service won't even know if the password you searched for was in the results.

IMO this would be a really cool feature

[LawnSounds]

Oh dang, didn’t know you could that - genius! Thanks for the technical input

[rullzer]

Could you fill this issue in https://github.com/nextcloud/password_policy/issues ? feel free to ping me there and I'll put it on my todo list.

[LawnSounds]

Oh sure! Was looking for the correct place to put it but something something and ended up posting it here... thanks

[LawnSounds]

Moved issue to: #58