Pwned integration

[jfar...@gmail.com]

Hello:

Has anyone tried to integrate pwm with "Have I been pwned?" https://haveibeenpwned.com/Passwords . It has an API and a hash database that could be used to check when users try to set their password.

Is there a way to do this?

Thanks,

Juan

[ad...@sim-ci.com]

That would be a great gimmick.

[Jason Rivard]

This sounds like a horrible idea to me.   This would be sending your users potential passwords across the network (unencrypted except possibly via https) to a somewhat questionable remote service.  Instead, why not just take their password wordlist (or a better one) and use it as a custom PWM wordlist...

[jacob....@gmail.com]

Juan,

We did this exact integration. As Jason mentioned, you would not want to simply send the raw passwords to a third party as that would be a security disaster. (Also the API you mentioned doesn't allow that).

We did this by writing a small web service that accepts calls from PWM's Password Check REST Service and then queries the Have I been pwned service to see if the password has been breached (it does this without sending the password or hash to their service using k-anonymity which you can read about on their site). If it finds a match then it responds to PWM's request with an error so the user will be told to pick a different password.

I used the https://github.com/lionheart/pwnedpasswords library for python. Our security team reviewed this to ensure its not transmitting the passwords but i encourage you to review it before using it (or any other library that would handle passwords).

Cheers,
Jacob

[the...@gmail.com]

Hello Jacob,

This looks like it could be really useful.
Can you share this web service?

Thanks,

--
Francois