Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject passwords for having appeared in a previous breach #64

Open
ubalklen opened this issue Aug 4, 2022 · 3 comments
Open

Reject passwords for having appeared in a previous breach #64

ubalklen opened this issue Aug 4, 2022 · 3 comments

Comments

@ubalklen
Copy link

ubalklen commented Aug 4, 2022

Maybe randomly, reject passwords for having appeared in a previous breach.
@troyhunt
Copy link
Owner

troyhunt commented Aug 4, 2022

That's doable, any PRs implementing this by querying Pwned Passwords are welcome. Suggest making it quite early in the workflow, once the really screwy criteria appears then any password that meets that is highly unlikely to have been previously breached anyway.

@Saiv46
Copy link

Saiv46 commented Aug 4, 2022

I think instead there should be check for consecutive numbers or letters on "low" infuration level (since most breached passwords are 12345*, abcd*, etc)

@toby3d
Copy link

toby3d commented Aug 5, 2022
edited
Loading

Alternative: create your own password breach consisting of all passwords which spammers try to enter. And regretfully report that the password entered by the spammer has already been used before or even by someone else, so, i'ts dangerous to use already leaked passwords.

As a result: an interesting database of passwords generated by spammers for future analysis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@troyhunt @toby3d @ubalklen @Saiv46