Passwords should be matched against a "password blacklist" #30
Comments
|
The haveibeenpwned API have many advantages over an in-house solution.
But, to keep a minimal validation, a local list to verify the proposed password against the 1000 more used can be a good plan B. |
We are definitely not looking for a in-house solution that matches all the features
Any suggestions of how would that list be created/maintained? Should we just cache the responses we get from Maybe you have another strategy not listed above? Thanks! |
|
My suggestion is download the haveibeenpwned passwords list that is already ordered by prevalence and choose a feasible number of the first positions to keep with us. To choose the number of passwords kept in-house we could consider the maximum number that keeps the file size and search time manageable under our structure. |
|
@abilioesteves should we proceed with @erickmoreno ideas of retrieving from |
|
Not a priority at the monent, @claudiosegala. Thanks! |
We should match the provided passwords on registration/update against a "password blacklist".
We should check against "haveibeenpwned" without degrading the user experience. If it takes to long to respond or it breaks, we need to check the password against an in-house "black list".
The mechanism of how to construct and evolve this in-house blacklist is open for discussion.
The text was updated successfully, but these errors were encountered: