Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd.
|A promotional tweet about my dragonbe/hibp package|
Just to give you an idea of how Have I Been Pwnd service works, I created this little diagram to visualise how I'm using the service.
|Visual representation of using HIBP service|
No passwords are sent in the clear over the internet.
No full hashes are exposed to Have I Been Pwned.
All verification happens on the server where the user enters their password.
To give you an idea how this looks in PHP code, here's a real simple example. BEWARE: this is just code used as an example! Do not copy/paste it and use it in production as it has no filtering and validation of input values!!!
- No passwords are shared with HIBP
- All checks occur within your own web application
- You can do things manually, I just provided a package to make it easier
I am not in a business of stealing passwords or hijacking your good password processes and policies. The composer package "dragonbe/hibp" was build to make it easy for everyone to implement this very powerful service provided by Troy Hunt. I was doing my bit to make the internet a safer place for everyone.
Why would you implement Have I Been Pwnd service on your web application?
Not everyone who uses a computer is aware that strong passwords is a hard job and password managers are not mandatory by law or installed by default by OS vendors: don't expect everyone to apply good password hygiene.
By ensuring your users have passwords that are strong enough and not yet found in earlier breaches (see Have I Been Pwnd), you can at least ensure that if someone's user account and password are compromised, it cannot be used against your own application or service. It's not a 100% guarantee bad guys aren't exploiting your user's accounts, but at least it makes it harder to compromise based on earlier breaches.