MyBB Community Forums

Full Version: Check passwords againist HaveIBeenPwned
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I think that registration, change password, and login should check a user's password against HaveIBeenPwned. Their API (supporting KAnonymity meaning they don't see the actual password or specific user) lets you do this easily, there's even a PHP package for it (https://github.com/DragonBe/hibp). This would improve account security and reduce the number of hacked MyBB accounts. Before someone says this could be a plugin, I disagree, why isn't StopForumSpam a plugin, why isn't Google's recaptcha a plugin? The justification is clear.
I would rather include a password strength check as core.
https://github.com/bjeavons/zxcvbn-php
(01-12-2019, 05:39 PM)Lunorian Wrote: [ -> ]Before someone says this could be a plugin, I disagree, why isn't StopForumSpam a plugin, why isn't Google's recaptcha a plugin? The justification is clear.

StopForumSpam protects against SPAM, not illegal/hacked MyBB accounts. Anti-spam is the primary goal of this option.

Google's Recaptcha protects against posting bots (illegal or otherwise) and that is the primary goal of this option. This option has nothing to do with dealing with illegal/hacked MyBB accounts.

If you want the 'HaveIBeenPwned' option to be added into the MyBB core programming, then you have to go through the proper channels, like THIS FORUM for your suggestions to be implemented.

Then the MyBB development team will decide whether or not this is justified. 

If this is justified, then the proper code will be added into MyBB's core programming.
(01-13-2019, 08:55 AM)Serpius Wrote: [ -> ]StopForumSpam protects against SPAM, not illegal/hacked MyBB accounts. Anti-spam is the primary goal of this option.

This is correct. Moreover, and not mentioned here, is that SFS also used to be a 1.6 plugin, and was added into core in 1.8, as it is, actually, a useful feature.
I would like to see a plugin available first to gauge how much use it gets and to allow the code to be refined outside of the core. It can always then be integrated in later versions if it gets enough use and there's a clear reason to do so.
I generally dislike any API which potentially leaks user data to external APIs, this includes SFS, HIBP, and maybe reCaptcha, but only because I'm not fond of Google being a giant data sink. It might be okay if it's optional, but I'd worry about potentially leaking password data there.
(09-06-2019, 08:28 AM)Azah Wrote: [ -> ]I generally dislike any API which potentially leaks user data to external APIs, this includes SFS, HIBP, and maybe reCaptcha, but only because I'm not fond of Google being a giant data sink. It might be okay if it's optional, but I'd worry about potentially leaking password data there.

There is no risk of the password being leaked.

https://blog.cloudflare.com/validating-l...anonymity/