Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide Password (Compromised) Checking API #7395

Closed
rwinch opened this issue Sep 6, 2019 · 0 comments
Closed

Provide Password (Compromised) Checking API #7395

rwinch opened this issue Sep 6, 2019 · 0 comments
Assignees
@marcusdacoregio
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
6.3.0-RC1

Comments

@rwinch
Copy link
Member

rwinch commented Sep 6, 2019
edited by marcusdacoregio
Loading

Summary

Password reuse is a serious problem for users and the source of many different hacks. It would be awesome if we could provide integration with https://haveibeenpwned.com to alert users if their password has been compromised.

Some ideas are that this check could be automated when authenticating a user, changing a password, etc.

After playing a bit around the design of such API it has become clear that it should focus solely on checking if a password is compromised. It is not its intention for now to make a contextual check, like if a password has been reused for example.
@rwinch rwinch changed the title Integrate with haveibeenpwned Provide Password Checking API Sep 6, 2019
@rwinch rwinch changed the title Provide Password Checking API Provide Password (Reuse) Checking API Sep 6, 2019
@rwinch rwinch added this to the 5.3.x milestone Sep 6, 2019
@jzheaux jzheaux mentioned this issue Jun 16, 2020
Merged
@rwinch rwinch added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2021
@eleftherias eleftherias added type: enhancement A general enhancement in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 25, 2022
@eleftherias eleftherias removed this from the 5.3.x milestone Feb 25, 2022
@marcusdacoregio marcusdacoregio self-assigned this Oct 25, 2023
@rwinch rwinch mentioned this issue Mar 6, 2024
Open
@rwinch rwinch changed the title Provide Password (Reuse) Checking API Provide Password (Compromised) Checking API Mar 8, 2024
@marcusdacoregio marcusdacoregio added this to the 6.3.0-RC1 milestone Apr 1, 2024
marcusdacoregio added a commit that referenced this issue Apr 10, 2024
@marcusdacoregio
Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
61eba00 
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.

Issue gh-7395
marcusdacoregio added a commit that referenced this issue Apr 30, 2024
@marcusdacoregio
Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision
b3c7f3f 
Issue gh-7395
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.3.0-RC1
Development

No branches or pull requests
3 participants
@rwinch @eleftherias @marcusdacoregio