phyrog
commented
6 years ago Is PasswordPing free? Wondering because of the Free Trial button and the auth header the docs mention.
Open eugenk opened 6 years ago
phyrog
commented
6 years ago Is PasswordPing free? Wondering because of the Free Trial button and the auth header the docs mention.
phyrog
commented
6 years ago https://haveibeenpwned.com/API/v2#PwnedPasswords seems to be free; https://github.com/wKovacs64/hibp might be usable
We could also do this server-side with https://github.com/michaelbanfield/devise-pwned_password but we should be careful with the rate limit (1req / 1500ms).
eugenk
commented
6 years ago Good point. I seem to have missed that.
When registering or changing the password, check if the password is insecure and has been leaked. Use a leaked password database such as PasswordPing.
If the chosen password is leaked, display a warning before allowing to register. Then, the user may choose to keep the insecure password, but they are aware of it.