Make API and internals more secure

obsidiansystems / haveibeenpwned

Haskell library that uses HIBP to evaluate passwords

BSD 3-Clause "New" or "Revised" License

11 stars 3 forks source link

Make API and internals more secure #4

Closed eskimor closed 3 years ago

ali-abrar commented 5 years ago

Thanks @eskimor. Can you describe how this improves security?

eskimor commented 5 years ago

@ali-abrar sure: Dan noticed that we are using a disclosed count of 0 internally to say that password is considered secure. Problem: If the database got an incorrect disclosed count of zero for some password, the library would actually report it as secure, although we just found it in a database.

I updated the changelog as well, with those details. I also changed the API to use a dedicated constructor, as it was confusing to users previously.