Pwned Passwords by FriendsOfFlarum

License Latest Stable Version OpenCollective

Extiverse

A Flarum extension that checks passwords against Have I Been Pwned's password database to check for anything seen in known data breaches.

Installation

Use Bazaar or install it with Composer:

composer require fof/pwned-passwords

Then log in and enable the extension.

Security

Some people may be wondering whether or not this extension is secure to use, since it supposedly checks passwords against an API to see if they've been in known data breaches. This extension is secure. Your passwords remain anonymous, whether or not you use this extension. When using the Pwned Passwords API, plain text is never sent. Your password is made into a SHA1 hash and the first 5 characters of that hash are sent to the API, and the API returns hashes that match those first 5 characters. The extension then does the comparing itself to see if there are any exact matches. Therefore, your password is not sent anywhere and remains anonymous.

Links

An extension by FriendsOfFlarum.

0.1.2

Changelog 🔨

  • Fix colors of extension icon
  • Switched from hard-coded text to locales for internationalization

Updating ⏫

composer update reflar/pwned-passwords

Please allow Bazaar 60 minutes to pull the update

A Note on Security

Some people may be wondering whether or not this extension is secure to use, since it supposedly checks passwords against an API to see if they've been in known data breaches. This extension is secure. Your passwords remain anonymous, whether or not you use this extension. When using the Pwned Passwords API, plain text is never sent. Your password is made into a SHA1 hash and the first 5 characters of that hash are sent to the API, and the API returns hashes that match those first 5 characters. The extension then does the comparing itself to see if there are any exact matches. Therefore, your password is not sent anywhere and remains anonymous.

Apologies if its painfully obvious; this extension is akin to querying a users email address against db of known leaked accounts / corp breaches albeit it just compares the password hash?

Does it prevent registration if someone uses welcome1 or does it just notify you that your password is not original?
Does it nag the user every time they log in, to spice up their security?
Does it notify the admin or add a special emblem to the users name bringing attention to the users lax-tude towards security?

Oh, and nifty extension. 👍

    0E800 It does not send the user's email address. To answer your last 3 questions, it prevents registration, and does not notify anyone.

      I wouldn't want to prevent or force a user to use a suggested password, but I would like the user to be aware.
      I would also see usage in auditing if there was a dashboard entry showing #of users using passwords that have been used before.

      Sorry, David has been taken. How about:
      David17784$
      DavidNewYears1
      DavidBingo

      Then when tech giants finally adapt the super technological concept of passphrase and all passphrases start with a minimum of 14 characters... DBs gonna need upgrading.

      Apologies, tldr;
      Can you make it so that it optionally does not prevent registrations but does drop a visual notification or even a dialog that they user has to click Okay?

        0E800 A switch could be added to enforce this rule or produce a warning and proceed but I will leave that up to OrdinaryJellyfish to decide if he'd want to add that kind of option. Personally speaking, I like having options, but suggesting passwords would fall out of the scope of this extension as it is only pertaining to Pwned Passwords via API.

          Ralkage

          Sorry my man, I was being a little sarcastic. This extension in its current state has the effect of 'molding' not neccesarily the best password practices by forcing the user to use a password that is not in a database of what? thousands of user generated unique passwords?

          Just because another person came up with the super clever password that only I and they know of, it doesn't make it a weak password. I don't want a potential member to be frustrated that they cant come up with a password that doesn't exist. However, letting the user know by means of dialog box, forces them to acknowledge the password they have been using since 5th grade is not so unique anymore.

          I really like the idea just don't want to prevent membership status based on password complexity.

            0E800 This doesn't judge password complexity. It sends a part of a password hash that in return sends matching hashes from known data breaches. You don't want to use passwords seen in data breaches, as that increases your risk of being exploited...

            19 days later

            0E800 It's not that the passwords do or don't exist. It's just if a hacker takes the known list of these exploited passwords and does a brute force attack against user names for your forum that might be publicly available (most likely are) you know they won't work if you've done your do diligence in checking. As a user I would like to know that my password is not being used in brute force attacks with every script kiddie tool on the market. If there's a prompt or something that says this a known publicized password most likely used in brute force attacks, then I would not choose that password. As an Admin of a forum I would not want my users info compromised, so I see this as a great tool.

              jmiahman I see where you are coming from. Please see from my opinion that this only creates more problems. Makes for lazy admins. If you have set proper permissions for your users, then its of no consequence if my user name is User and my password is Resu. If you have a single list that you and everyone is comparing their passwords to, you are effectively trusting the owners of the database are not at the same time adding your unique passwords to their paid for list. Know what I mean? I get its hashed or salted or whatever, that hash doesn't disappear because it didn't match.

              There are password lockout policies, captchas, IP logs, blacklists, white-lists, 2FA, etc... Membership is free in most cases, easier to just hack the db as a user instead of the extra tip toeing trying to brute force another users account with a 10GB dictionary list or 10TB rainbow table setup.

              To have my password being forwarded somewhere and queried against a list feels invasive. Its private. My ATM pin in 4 numbers. My credit card does not require a password, and only rarely a zip code, which cmon, chances are the zip code is the place it was stolen or found.

              Just seems overkill. Great if its a pleasant FYI, not so great if the would be member is like ... nah Im done surfing the net with my diapers and EpiPen.

              I mean no offence, this is just my opinion; it would be a more functional extension if it was not so strict.
              Informational vs Restrictive.
              Account creation is presented as the users prerogative, else you might as well give them their username and password instead of the false pretense that its theirs to chose.

                Some interesting reading about banning known passwords:

                https://www.troyhunt.com/no-spotify-wasnt-hacked/

                https://www.troyhunt.com/when-accounts-are-hacked-victims-must-share-the-blame/

                I agree with Troy's articles about the fact the company also plays a part if users are hacked via credentials stuffing. But how can you distinguish a real user with correct credentials versus an attacker with correct credentials ? Without 2FA, the only way is to not allow any password that has the slight chance of having been reused or leaked.

                In my opinion using the Pwned Password API to systematically reject known passwords is a no-brainer. I'm adding this to every new app that I write. I also think having that check upon login would make sense if the Pwned Passwords database has received new records.

                EDIT to answer concerns:

                0E800 you are effectively trusting the owners of the database are not at the same time adding your unique passwords to their paid for list

                Have you read about k-anonymity ? It doesn't matter if hashes are stored or not (they likely aren't). As far as we know, it's perfectly safe. There's no known way of guessing your password out of the partial hash, unless it's something very simple (which could be found by enumeration of possible hashes) which shouldn't be used anyway. If you break k-anonymity, I'm pretty sure a big part of the internet would break as well 😬

                  5 days later

                  Just to make this clear again: No passwords are sent to HaveIBeenPwned's API. Not even hashes - only a prefix of the hash, from which the API can not derive the full hash (what @clarkwinkelmann alluded to with k-anonymity). The API then returns a list of known password hashes matching that password - which the client (this extension) can check for the password that was entered.

                  This is safe. And awesome. 👍

                  0.2.0

                  Changelog 🔨

                  • Hungarian & French translations
                  • Check passwords on reset page

                  Updating ⏫

                  composer update reflar/pwned-passwords

                  Please allow Bazaar 60 minutes to pull the update

                  12 days later
                  5 days later

                  clarkwinkelmann I also think having that check upon login would make sense if the Pwned Passwords database has received new records.

                  I never actually thought about that. It sounds like a good idea. How would we go about warning them though? When they login, would it show something like a warning prompt that says they should probably change their password because it was in a data breach and let them continue or something else?

                  yagizhan49 Please check my PR.

                  I'll get it merged, don't worry