So they want me to remove the system that prevents users from registering with passwords that have been leaked online, because “its too much effort for new user to come up with a new password instead of using a same one everywhere and they might give up registering”

Giving up security for convince doesn’t usually end well, does it,

  • 4
    That's a pretty genius idea to check for leaked passwords
  • 0
    Where are you checking that out of interest?
  • 0
    @garret that doesn't list passwords though.. how would you know if a password is bad
  • 1
    @Shardj i also use the hibp api
    They have api where you can send a part of a sha hash of the pasword (only a part , because its unique enough to see if that hash is in the database but not detailed enough reverse the password from it)
    And it returns with a number how many times a password was found on there
  • 0
    @amahlaka what about the salt? And who says it would be any particular type of hash. It just seems very flawed
  • 0
    @Shardj you dont store the password yourself with sha
  • 0
    @Shardj instead you do this during registration
Add Comment