Jump to content
iCanHazPassword

Have I Been Pwned? Integration

Recommended Posts

As a security professional, I think it would be really awesome if you guys added the option to integrate with the Have I Been Pwned? API when using the password reset portal.  This would allow you to check the password being set against the 300+ Million known passwords from various breaches.  If a match is found, have options to either allow the user to accept the risk or an admin option for force the user to pick a different password.

 

API Info here:

https://haveibeenpwned.com/API/v2#PwnedPasswords

 

The DB can also be downloaded offline if you wanted to automate that process and do lookups locally.

Share this post


Link to post
Share on other sites

Hi jnalldr,

 

Thanks for your request, and we're actually working on adding 'Bad Passwords' into the Reset Portal at the moment - and customers can add any any number of Bad Passwords they want. We're also introducing Password Policies as well, similar to Password Strength Policies in the core product.

 

Hopefully these will help with your request, and possibly perform a little better considering it does not need to reach out to the Internet to check.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Sort of.  It would be nice if a source could be used that was regularly updated.  Instead of the API call, maybe the option to download the PW DB and check against it locally.  If I have to manually add passwords, it won't happen.  Considering the password DB has over 300 million PWs, it's not manageable if done manually.

Share this post


Link to post
Share on other sites

Hi jnalldr,

Thanks for your suggestion, and we're not sure if we would want to consider 300 million records, as that may have a performance impact on the database - the "Have I Been Pwned" solution has been designed for one specific purpose, but the SQL Database for Passwordstate performs many more functions as well.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Is there any plan to integrate the Pwned Passwords API as an option in the existing "Bad Passwords" feature?

 

The existing Bad Passwords feature is only really useful for short wordlists, and even if it could handle 300+ million records, Troy Hunt's lists come as SHA-1 hashes.

Share this post


Link to post
Share on other sites

Hello Markeldo,

 

We do plan on looking into this as an option at some stage, as soon as we can allocate some time to it. This may be quite a bit of work, as we need to consider everywhere Bad Passwords are used i.e. UI, API, Windows Service. We'd also need this to be an option, for customers who do not want to allow Passwordstate to communicate on the Internet.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi Everyone,

 

Happy to report back here that we now have Pwned integration in our software, in our standard Passwordstate Vault and also in the Password Reset Portal module.  After upgrading to 8388 or higher, you will see this option under Bad Passwords:

2018-06-21_11-20-16.png

 

Then, as long as Bad Passwords is enabled on the Password List, when a user goes to add or update an existing password, it will perform a Pwned check and deny them setting the password if it has a match to the online Pwned API.

 

Thanks for the suggestions!

 

Support.

 

Share this post


Link to post
Share on other sites

Hello,

 

Yes, the API call being used is https://api.pwnedpasswords.com/range/

 

We did download the database ourselves, and when you extract the zip file it's about 30GB. Would you want to host something that big? And this database is constantly being updated as well.

We'd need to figure what high performance DB we would use for this as well, as you wouldn't want to overheads of SQL Server for this sort of functionality.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Well, using range search is fine for anonymity-wise. But if there would be a option to use offline list, I'd still choose that one. Hosting 30GB of files on a Windows server is not an issue, I would not expect it to be for anyone opting to a offline list. Just the search performance would need to be quick and if making transforms from the source files to some other form, performance of that transformation. Transformation could also happen on some other server than one's hosting PasswordState. One thing to scratch your heads, would be when Troy releases new version of pwned passwords list, would it be manual update and how would we get information, do we need to follow Troy's blog or could you provide the information about list updates within PasswordState notifications.

 

Without offline list support we need to weight the pros and cons of using online API for this feature.

Share this post


Link to post
Share on other sites

Hello,

 

Thanks for the feedback - we appreciate it.

 

To have an offline version of this, it would be a complete new module for Passwordstate. And as we've discussed, there would need to be some sort of process for constantly updating this DB. At this stage we're not sure what the interest is from the community on this, so we will need to wait to see how many customers would like it.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Good morning all,

 

I think this feature is excellent! While looking into the self-hosted/downloaded version of the DB would require extra work and resources I think it is the best approach. Yes, the passwords/hashes are "Securely" sent up to HIBP it could still pose concern for some companies. Every password that we create is sent to the "cloud" to see if it is vulnerable??? This wouldn't be received very well from some people...even though there isn't much of a concern here.

 

The database so far doesn't seem to be updated too frequently. The last published dump was in March.

 

Overall, yes, we are all for this ability! Let us know if you need any more info, recommendations, etc.

 

Thanks for all your work with PWState!

Share this post


Link to post
Share on other sites

Since you already have the feature in place...what are the chances of allowing a "custom" API? Basically, thinking about the idea of creating our own internal REST API using the HIBP DB.

We would then need to specify a custom url to check bad pw.

 

Would that be something you could look into?

Share this post


Link to post
Share on other sites

Hi parrishk,

 

If we are going to do this, we would develop the feature ourselves so that all customers could use it.

If you're wanting to try this yourself, you can edit the URL being called within the JavaScript file C:\inetpub\Passwordstate\App_JScript\pwned.js. I guess longer term we will need to provide this "URL" as an option, so customers can choose to use the online API, or something local.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Thank you for sharing the path. This may be something we look into doing internally.

 

However, after further review of HIBP V2 I did not realize that they implemented the K-Anonymity approach. This greatly reduced my concern with sending hashes to HIBP.

Taking the first 5 characters of the hash, returning the matches and then comparing them locally was a great approach.

Testing out the feature now!

 

Thanks!

Share this post


Link to post
Share on other sites

Hi Guys and Good job with the PWN integration. :) Love it.

 

We now only have one problem, the ongoing struggle of onboarding people to Passwordstate.

Because it works so good many passwords that is already set in the environment is seen as bad and therefore can't be added to Passwordstate.

So the problem that occur is when you are adding a password that is already in use somewhere in the environment and you can’t go and just change that password

because of the different systems that use it and you can't just shut everything down without getting proper authorisation and waiting for a service window. 

 

So what we would need in order to get the benefit of this is actually some kind of easy way to get notified of a bad password but still being able to set it.

Since being not able to set it makes it not get in to Passwordstate so we can get a grasp of what passwords are bad, instead they remain on the postits or in the .txt file.

 

So it would be very nice with a popup message whitch explain that it is a bad password and so forth but where one could say yes save anyway.

If you wana go advanced you could do something like a mail notification if someone saves a bad password or something like that.

 

Maybe this is something that is already possible but I only found one setting to block saving of bad passwords not warn of them.

 

Love What you guys do here at clickstudios keep up the good work.

 

Best Regards Ulf

 

Share this post


Link to post
Share on other sites

Hmm...maybe temporarily disabled the "prevent bad passwords" options during the onboard process. Or is this a recurring process to the same list?

 

Share this post


Link to post
Share on other sites

Yes this is a recurring prosess in alot of password lists.

And as far as i know I don't get notified if the password is bad if i disable the "prevent bad passwords"...

Share this post


Link to post
Share on other sites

Hi Guys,

 

This was also our concern about implementing this feature, but several customer's reassured us that it wouldn't be a problem :)

We're not really sure what to suggest here if you want to use this feature. You could uncheck the option which prevents saving if a bad password is detected, but that sort of defeats the purpose of having this feature in the first place. We could look at the warning as you've suggested, but we're pretty sure users would just ignore this and continue to use these "bad" passwords.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi again seams like we are not alone with the problem then....  :-)

 

One idea could be to let people put the password in the first time it's created but not to update to a password that is found to be bad.

One other thing that would be a nice feature is some way of popping up a small popup guide when you are creating a password so we could give tips on how one should go about when creating a good strong password.

 

For example the "Bad password popup" is a static message, it would be nice if I could set this message to what I want, then I could say something like "this password is actually known to bad guys and therefore you are not permitted to use it" or just give a short lesson in our password policy I bet all companies would want to say different things so the possibilities are endless.

If you made it a ifferent kind of popup even liks to intranet resourses could be put in.

 

Features that would let us security people easily and when it is needed educate the masses so to speak, this would be best done when they actually is creating a new password that is found to be inadequate would be greatly appreciated.  

The only tool given by Passwordstate right now (that I am aware of) for this is the emails and they are not always as effective as I would like.

 

Keep up the awesomeness :-D

Ulf

Share this post


Link to post
Share on other sites

×
×
  • Create New...