Idea ID: 2863103

Password Policy check against HaveIBeenPwned

Status : New Idea
7 months ago

It would be very helpful if the Password Policy could be checked for breached or pwned passwords.  The most obvious choice would be to use Troy Hunt's Have I Been Pwned service.  It would be great if it could verify individual users password choice when they create a new password or change an existing password.  It would also need to run a scan at regular intervals and notify users if a current password becomes listed on the service.

Labels:

Configuration
Parents
  •  Thanks!  I was not aware of that.  Not currently using SSPR.  Am I correct in assuming that this just checks the password when the user resets it?  That is a good thing, but I am particularly interested in checking all passwords on a regular basis.  My understanding is that password rotation is no longer the best recommendation.  Instead users should change passwords on an as-needed basis.  A regular scan of eDirectory against haveibeenpwned would solve that issue.

Comment
  •  Thanks!  I was not aware of that.  Not currently using SSPR.  Am I correct in assuming that this just checks the password when the user resets it?  That is a good thing, but I am particularly interested in checking all passwords on a regular basis.  My understanding is that password rotation is no longer the best recommendation.  Instead users should change passwords on an as-needed basis.  A regular scan of eDirectory against haveibeenpwned would solve that issue.

Children
No Data