Optionally support Troy Hunt’s Pwned Password API
One way to ensure peoples’ safety is to prevent them from setting unsafe passwords, specifically that they do not set a password that is already part of a known data breach. Checking against a black list is also part of the new NIST password guidance [1]. One way to do this is to use Troy Hunt’s Pwned Passwords API [2].
Troy Hunt maintains a huge list of publicly known data breaches and provides ways to check for leaked email addresses and passwords.
How the API works
- Take the user password
- Generate the SHA1 hash of it
- Send the first 5 characters of it to the API endpoint (either a self-hosted one or Troy Hunt’s one)
- The API will return a list with the remainders of all hashes which start with the characters, additionally a counter is appended to each entry, in how many leaks this password was part of
- The client checks locally, which one of these hashes is the right one
- If the counter is
> 0
then the password is compromised
Because the returned list contains a lot of hash suffixes, anonymity is guaranteed by the k-anonymity model [3]. The list of passwords can either be downloaded and served locally or be accessed with https://api.pwnedpasswords.com/range/{hashPrefix}
. According to Troy, almost all requests are in the Cloudflare cache and very few requests actually hit his server.
Who uses this?
Some examples are:
- 1Password
- Eve Online
- Nextcloud
- Bitwarden
- Firefox Monitor
How could we implement this?
- Provide config options, similar to the suggestions API:
config :pleroma, :pwned_passwords_check,
enabled: false,
check_always: false,
third_party_engine:
"https://api.pwnedpasswords.com/range/"
- Integrate the check in the password reset controller
- Do not reset the password, if the password was leaked
If check_always
is true, the check happens always for everyone. If it is false, a small icon should be displayed in the password change dialog, similar to 1Password and Bitwarden, and the check happens if the user decides to click on that icon. Maybe include this in the list of features in PleromaFE to help people avoid registering on instances, which offer this service.
I am aware that this can be seen as a controversial feature, that’s why I would make this very configurable and entirely optional, yet I do see this as an useful feature to offer.