Closed mistial-dev closed 1 year ago
On my site, I'm considering implementing this with a modal dialog that can't be dismissed, forcing a reload, and an annoying captcha that resets every page refresh.
There's real world practical value in checking Pwned Passwords, but let's be honest, this project isn't about that 🙂
Suggest this is something you can always build in on your end if you're considering implementing it, I'd like to keep this project focused on the increasingly absurd.
If the goal is to waste as much time as possible, it would seem that the rules should remain as plausible as possible, while ideally providing as little resolving information as possible.
Have I Been Pwned's password checker (https://haveibeenpwned.com/Passwords) provides a justification for why a password is wrong that is plausible, but which provides little information on what to change to resolve it.
Given the prevalence of password reuse, it (or something like it) would likely result in at least one rejection in the majority of cases.
It would also provide cover for a delay for "checking if password has been found in data breaches", which could increase with time, and a link to haveibeenpwned showing the password reuse.