Integrate Pwned Passwords API from haveibeenpwned.com
Summary
LLNG could enhance security while user is changing her password by checking if submitted password is known to be one of the 613,584,246 leaked passwords, according to HIBP API database.
Design proposition
- Before pushing the password change to the backend DB, LLNG could do a REST call to HIBP API.
- There is a way to do these checks offline (see Scott Helme's When Pwned Passwords Bloom!), but it's quite more work for maintenance (updating the DB and recreating local data set seems to take several hours), and requires more than 25GB of HDD available!
- If it take longer than a defined timeout (because HIBP is down, Internet access down (in case of local network), or whatever), then it would be userfriendly to accept the password nonetheless (of course a parameter to allow or not would be best, but the risk to allow the weak password is not higher than current behaviour of not checking password against this API).
- If the API says it's a leaked password, a parameter could disallow (or allow anyway) the user to use this password.
- It would be a good idea to let the user know that this password is leaked according to HIBP, with a link to the breach on HIBP website. But the site being only English, a message translated to let the user understand should also be possible.