sallakarppinen
commented
6 years ago Would this involve sending an unhashed user-entered password through to a foreign API?
Open davidoae opened 6 years ago
sallakarppinen
commented
6 years ago Would this involve sending an unhashed user-entered password through to a foreign API?
davidoae
commented
6 years ago There are a couple of methods of access. I don't suggest using one that requires us to send potential passwords to them, unless there's a good way to do that.
On 18 December 2017 at 08:15, Salla Karppinen notifications@github.com wrote:
Would this involve sending an unhashed user-entered password through to a foreign API?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/oaeproject/Hilary/issues/1491#issuecomment-352354711, or mute the thread https://github.com/notifications/unsubscribe-auth/AKc2L_nyFDF251dbImkLbK4D9RDTOwBuks5tBh8hgaJpZM4Q52GI .
sallakarppinen
commented
6 years ago There is no good way, which is why I asked. Which method were you thinking of?
There is a service[1] that provides api access to more common cracked passwords. It is not considered to be good practice to ban these passwords[2]. I therefore suggest we check any new password set against the api.
[1] https://haveibeenpwned.com/ [2] https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf