News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Have-I-Been-Pwned

Started by SleePy, March 01, 2022, 03:01:12 PM

Previous topic - Next topic

SleePy

Link to the mod

This enables checking passwords against the Have-I-Been-Pwned database. Passwords are only checked on registration and when changed on the profile.

Additionally this can attempt to check the password from the browser using the same API

SMF 2.1.0 or higher only! PHP 7.3 or higher only

Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Shades.

Nice! 8)

What's the differences between "Enable Server based Have-I-Been-Pwned Checks" and "Enable Client based Have-I-Been-Pwned Checks" and should I have them both checked?
ShadesWeb.com - Custom Logos - My Themes on SMF | My Themes on ShadesWeb
https://shadesweb.com

BikerHound.com - Sniffing out the road ahead
https://bikerhound.com

Dream as if you'll live forever; Live as if you'll die today. - James Dean

SleePy

Server side will have the server submit the checks to the api.  While client side will let the browser submit the checks.  The client side thus can do a more real time check while the server side is performed upon submission.  You can run both.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Shades.

Quote from: SleePy on March 04, 2022, 10:29:37 PMServer side will have the server submit the checks to the api.  While client side will let the browser submit the checks.  The client side thus can do a more real time check while the server side is performed upon submission.  You can run both.
Ok thanks! Nice mod! 8)
ShadesWeb.com - Custom Logos - My Themes on SMF | My Themes on ShadesWeb
https://shadesweb.com

BikerHound.com - Sniffing out the road ahead
https://bikerhound.com

Dream as if you'll live forever; Live as if you'll die today. - James Dean

landyvlad

Just saw this - it's be good if there was a way to periodically check peoples accounts/passwords as a matter of course (i.e. not just on change/registration). Is that even possible?
"Put as much effort into your question as you'd expect someone to give in an answer"

Please do not PM, IM or Email me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Be the person your dog thinks you are.

SleePy

You can register your email to be notified if it shows up in a breach.  You can register your domains you own to be notified if any email on them have a listing.  There isn't one to tell you that your password has been found in a recent breach.  You can follow Troy Hunt's blog and he will post about any new disclosures.  You can then test your password again to see if it was breached.

As your password is in a one way hash, there is no way to take these hashes and compare it against your password hash.  The password must be typed in for the API to work as it only sends partial passwords over the API.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Advertisement: