Idea ID: 2863103

Password Policy check against HaveIBeenPwned

Status : New Idea

It would be very helpful if the Password Policy could be checked for breached or pwned passwords.  The most obvious choice would be to use Troy Hunt's Have I Been Pwned service.  It would be great if it could verify individual users password choice when they create a new password or change an existing password.  It would also need to run a scan at regular intervals and notify users if a current password becomes listed on the service.


  • We really do need to be able to check all or a portion of the passwords "now" and then on a scheduled basis.

  • , you are correct about NIST's recommendations with regard to rotating passwords. Like  said, SSPR in its current version handles breach corpus checks at time of password change. NIST also recommends to calculate password strength based on entropy. SSPR has a mode to do entropy calculation of a password for strength rather than some arbitrary inclusion of special characters. While it does not currently have a feature for breach corpus checking of all your passwords, I've heard this may be something that's delivered in a future release.

  • Correct, SSPR only checks HIBP during a password change.



  •  Thanks!  I was not aware of that.  Not currently using SSPR.  Am I correct in assuming that this just checks the password when the user resets it?  That is a good thing, but I am particularly interested in checking all passwords on a regular basis.  My understanding is that password rotation is no longer the best recommendation.  Instead users should change passwords on an as-needed basis.  A regular scan of eDirectory against haveibeenpwned would solve that issue.