Check Users Passwords during Registration/Login

Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

Awesome!

This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.

Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.

Example code to make use of this. Note that the API is rate limited to 1 call every 1500ms. I would imagine running this check on login and registration, but only periodically; the idea being to gradually wean users off using breached passwords. Perhaps something like ‘once in every 10 logins, make this check’.

You can’t just check after password changes as obviously, more breached passwords are appearing all the time.

private static string _awesomeTroyUrl = "https://haveibeenpwned.com/api/v2/pwnedpassword/";
public static bool? IsPwned(string password)
{
byte[] hash = (new SHA1Managed()).ComputeHash(Encoding.UTF8.GetBytes(password));
string passwordHash = string.Join("", hash.Select(b=>b.ToString("x2")).ToArray());
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(_awesomeTroyUrl + passwordHash);
req.UserAgent = "Your User Agent Description Here";
HttpStatusCode code = HttpStatusCode.NotImplemented;
try
{
HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
code = resp.StatusCode;
} catch (WebException wex)
{
code = ((HttpWebResponse)wex.Response).StatusCode;
}
if( code == HttpStatusCode.OK )
{
return true; // Yup, it's breached;
}
else if(code == HttpStatusCode.NotFound)
{
return false; // Nope, it's ok.
} else
{
return null;
}
}

 

Advertisements
Check Users Passwords during Registration/Login

One thought on “Check Users Passwords during Registration/Login

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s