zadigus
commented
5 years ago This issue is related to this backend issue. @shikamu, @donnerc, and @zadigus decided that password validation against Pwned Password be only an indicator, so that a user wanting to set a leaked password can do it. No check is performed on the backend side. We decided that that check doesn't improve the system's security. Two-factor authentication would improve security and does not need to enforce HIBP validation. Therefore, the HIBP validation is only required on the frontend side and acts only as an indicator to the user whether her password is pwned or not. The user can then choose to go on with her password or not.
Currently, only the passwords' structure is verified (length, alpha-numerical chars, etc.). Passwords need to be validated against Pwned Passwords. This necessitates random generation of our tests' correct passwords.
As long as this issue hasn't been solved, users can get their passwords validated by the front-end and invalidated by the back-end, which is not consistent and not user-friendly.