ericelliott
commented
6 years ago We don't necessarily need to use their API. We can download the DB and check against it ourselves.
Closed geoffturk closed 6 years ago
ericelliott
commented
6 years ago We don't necessarily need to use their API. We can download the DB and check against it ourselves.
lautarodragan
commented
6 years ago @ericelliott mentioned in Investigate quality of password hashing algorithm:
Switching from Argon2 to PBKDF2 should be a lower priority than haveibeenpwned. IMO, haveibeenpwned should be in the Mainnet milestone. Switching our hashing algorithm should not.
If we want to add this to the mainnet launch we should start discussing this now.
Using the API should be simple, and we don't have a whole lot of people creating accounts right now.
The is ~8 GB, not a small file we can copy into a Frost API instance.
If we decide to use the API initially, we could get away with adding that check to Frost as is. If we decide to go with the DB from day one, we should create a new service to handle password validation.
It's not a very complex service (initially) but I don't think we want to build that before our mainnet launch.
ericelliott
commented
6 years ago I think we can do this separate from the Frost node for now. See pwned-checker.
warrenv
commented
6 years ago fyi, the API is rate limited to 1 call every 1500 milliseconds. That doesn't seem like it will meet our scalability needs.
On Thu, Jun 21, 2018 at 10:04 PM Eric Elliott notifications@github.com wrote:
I think we can do this separate from the Frost node for now. See pwned-checker https://github.com/poetapp/pwned-checker.
— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/poetapp/frost-api/issues/137#issuecomment-399298006, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB1z2TUWUSbIhrBE7HDBFtts8Uy1Xf2ks5t_FCegaJpZM4Uu9yC .
lautarodragan
commented
6 years ago Totally. Saw the pwned-checked you started working on @warrenv, nice work.
Have I Been Pwned is a website that keeps a database of known cracked passwords (i.e., passwords exposed in data breaches), numbering more than half a billion.
They provide an API that enables us to check a password proposed by a user to confirm it has not been exposed previously in a breach, making it a likely candidate for a brute-force password cracker. This check should be integrated when an account is first created and also when a user attempts to change the account's password.