|
Pretty sick, will prob impl it in my server
From the looks of it, you're comparing hashed passwords to a database that contains other hashed passwords.
If this is the case, the tool is pretty useless as you haven't tied it to a specific username. If I want to use the password "password", I won't be able to because it'll probably be in your database.
If my secure pa55W0@rd! is in your database, I'll get given a "unable to login complete" or your "password is too weak"??
As a player, what if I don't care that my password is in a leaked database because in this implementation, you can't tie anything back to a username?
There's a few more points including other technical flaws I can make but these are the first 3 to mind.
Why not just implement password complexity and leave it at that?
It’s not designed for that kinda scenario. There are other sites available which can check usernames and emails that are listed in breaches. This is specific for servers who want to warn players of weak passwords before they login - it’s not mainly to do with the player caring that their password is on a leaked rsps database. A lot of players use the same weak passwords, but they may be under a different username. Comparing the username & password is a less likely hit. Tools that most people use to attack players dont lookup the usernames, they’ll just brute force with the weakest and most common passwords.
-------------------------------
I take everything back. The NIST 2020 guidelines recommend that passwords are checked against a breach list.
Good tool to adapt onto your platform would be https://haveibeenpwned.com/Passwords alongside your current dataset (https://haveibeenpwned.com/API/v3).
-------------------------------
Should be worth mentioning that on the main post!
I didn't know about the API until a few months ago but it's pretty neat - let users know if their password is weak, or has been breached before, upon login or password change.
If a user decides to proceed then at least you've given them a warning.
I've seen AIO solutions, such as Ory Kratos, build it in too.
Just wrote some code testing the haveibeenpwned/API/v3 API if you guys want it.
To note: on error, we return false here to avoid your program to stop functioning if the API goes down:
Unit tested with:Code:import javax.xml.bind.DatatypeConverter; import java.io.BufferedReader; import java.io.InputStreamReader; import java.net.HttpURLConnection; import java.net.URL; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; /** @author Kiissmyswagb */ public class HaveIBeenPwned { private static final String API_URL = "https://api.pwnedpasswords.com/range/"; public static boolean pwned(String password) { var hashed = sha1(password.getBytes()); if(hashed != null) { try { var sb = new StringBuilder(); var url = new URL(API_URL + hashed.substring(0, 5)); var http = (HttpURLConnection) url.openConnection(); http.setRequestMethod("GET"); http.setDoOutput(true); if(http.getResponseCode() == HttpURLConnection.HTTP_OK) { try (var reader = new BufferedReader(new InputStreamReader(http.getInputStream(), StandardCharsets.UTF_8))) { var read = 0; while ((read = reader.read()) >= 0) { sb.append((char) read); } } return sb.toString().contains(hashed.substring(5)); } } catch (Exception e) { Logger.error(e.getMessage()); } } return false; } public static String sha1(byte[] input) { try { return DatatypeConverter.printHexBinary(MessageDigest.getInstance("SHA-1").digest(input)); } catch (NoSuchAlgorithmException e) { Logger.error(e.getMessage()); } return null; } }
Code:assertTrue(HaveIBeenPwned.pwned("password")); assertFalse(HaveIBeenPwned.pwned(RandomStringUtils.randomAlphanumeric(24)));
« Previous Thread | Next Thread » |
Thread Information |
Users Browsing this ThreadThere are currently 1 users browsing this thread. (0 members and 1 guests) |