Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add haveibeenpwned password check #2642

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add haveibeenpwned password check #2642

wants to merge 4 commits into from

Conversation

AlexProgrammerDE
Copy link

This pull request adds a haveibeenpwned.com password check before allowing a user to register with a password.
This will hopefully force users to not use weak passwords, which are easy to crack due to comparing the stored hash with password lists. The password is sent hashed and only the first five characters of the hash to haveibeenpwned. Then the response is validated by AuthMe on the server, which is going through ~500 hashes returned by the API. So this is a very secure way of checking for how secure a password is.
example message with weak password

References:

It appears that there is a paid API, but from what I've seen, it is only for account breaches where you search by E-Mail, not by password. So I don't think there will be any rate limits this hits.
My discord is Pistonmaster#0001 (In AuthMe support discord server), let me know if there should be something changed here.

@sgdc3 sgdc3 requested review from sgdc3 and ljacqu January 1, 2023 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgdc3 sgdc3 Awaiting requested review from sgdc3

@ljacqu ljacqu Awaiting requested review from ljacqu

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@AlexProgrammerDE