Opened 3 months ago

Last modified 3 months ago

#14837 new enhancement

Check BKeyStore passwords on haveibeenpwned.com

Reported by: kallisti5 Owned by: nobody
Priority: low Milestone: Unscheduled
Component: Kits/Application Kit Version: R1/Development
Keywords: BKeyStore credential Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

haveibeenpwned.com now offers a service which accepts an anonymized password hash, and reports the number of times it has been found on compromised sites,databases,etc.

https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

Our BKeyStore could (optionally) look-up passwords on this database, and warn users.

If we went this route, i'd want Haiku, Inc. to throw a small donation at haveibeenpwned.com since it's a pretty awesome service.

Change History (1)

comment:1 Changed 3 months ago by pulkomandy

I've always wondered if such services would not in fact collect the passwords one is testing with? But that new API seems to make more sense, at least.

I don't think it's up to BKeyStore itself to do this, however (sometimes you can't even choose your password for online services...). But any place where we allow the user to set or generate a password, yes.

Note: See TracTickets for help on using tickets.