
Blocking Compromised Passwords on PyPI - ingve
https://caremad.io/posts/2018/08/pypi-compromised-passwords/
======
moviuro
Integrating HIBP checks in online platforms is nice, but what about the public
(and admins) at large? Has HIBP been integrated in upstream for
registration/login forms in "usual" software? I'm thinking about Nextcloud[0],
Wordpress, GitLab, etc.

There should be no harm in doing it, and the admin would get a new switch
"check the password with HIBP at login time (Y/n)". This could have a good
impact - and it could be done from either client or server-side.

EDIT: after checking, it's already in Nextcloud: [0]
[https://github.com/nextcloud/password_policy/commit/fed9c37f...](https://github.com/nextcloud/password_policy/commit/fed9c37ff620cb74dc027a5a40b27313e26c5ba3)

~~~
ubernostrum
There are libraries for doing this, but it's ultimately up to each
site/service to implement.

I maintain an add-on for Django that does this, for example, but I can't force
people to go and use it, though I also maintain one of the more popular user-
registration apps and I probably _will_ find a way to enable it by default in
there.

~~~
Flimm
Could I have a link to your Django add-on?

~~~
ubernostrum
[https://github.com/ubernostrum/pwned-passwords-
django](https://github.com/ubernostrum/pwned-passwords-django)

------
7373737373
Wouldn't it be sensible to use a bloom filter instead of iterating over all
passwords?

~~~
crtasm
See footnote 4 on the post.

------
danjoc
Fig leaf. Implement package signatures.

>ESLint

Glass houses. SSH Decorator was much worse, it stole SSH keys.

