Idea ID: 2863103

Password Policy check against HaveIBeenPwned

Status : New Idea
7 months ago

It would be very helpful if the Password Policy could be checked for breached or pwned passwords.  The most obvious choice would be to use Troy Hunt's Have I Been Pwned service.  It would be great if it could verify individual users password choice when they create a new password or change an existing password.  It would also need to run a scan at regular intervals and notify users if a current password becomes listed on the service.

Labels:

Configuration
Parents
  • , you are correct about NIST's recommendations with regard to rotating passwords. Like  said, SSPR in its current version handles breach corpus checks at time of password change. NIST also recommends to calculate password strength based on entropy. SSPR has a mode to do entropy calculation of a password for strength rather than some arbitrary inclusion of special characters. While it does not currently have a feature for breach corpus checking of all your passwords, I've heard this may be something that's delivered in a future release.

Comment
  • , you are correct about NIST's recommendations with regard to rotating passwords. Like  said, SSPR in its current version handles breach corpus checks at time of password change. NIST also recommends to calculate password strength based on entropy. SSPR has a mode to do entropy calculation of a password for strength rather than some arbitrary inclusion of special characters. While it does not currently have a feature for breach corpus checking of all your passwords, I've heard this may be something that's delivered in a future release.

Children
No Data