Last year Troy Hunt added a password look-up service to his brilliant Have I Been Pwned.
The new addition exposed an API where anyone could look up whether a password they’ve used had ever been involved in a data security breach. He argues that if it has been, it shouldn’t re-used again.
You may or may not agree with it, that’s for you to decide. We do, incidentally, agree with that position.
As such, we’re making it an integral part of our upcoming User Password Policy system inside Shield Security.
Understanding ‘Pwned’ Passwords A Bit More
If a password has been involved in a data breach and this data is accessible and relevant, it’s part of the ‘pwned passwords’ database.
Troy goes into more details here.
Basically the aim of all this is: don’t use passwords that have been involved in user account data breaches.
How do you know if a password is one of those? You can use the Pwned Passwords tool right now to look-up your password if you like.
How Does This Work With Shield Security?
We’re bringing a Password Policies module to the Shield WordPress plugin.
As part of this, we’re going to integrate automatic look-up in the new ‘pwned passwords’ API v2.
If it’s enabled, when a user re/sets a password, Shield will look it up and check for whether or not it’s been pwned.
If it’s there, it’ll return an error for the user and they’ll need to choose another password.
Waait… Does Shield Send The User’s Password To A 3rd Party?
With v2 of this service, they’ve made it really easy to obfuscate the passwords that are being sent to the API.
At no point does Shield either send the password, or even the fully hashed password to the service.
Sounds Sweet! How can I get access to this?
This integration is coming as part of the new Password Policy module that’s already under development.
Shield will provide you with the following functionality:
- prevent use of ‘pwned passwords’.
- enforce minimum password length.
- enforce minimum password strength.
- enforce a password expiration.
- apply these policies retrospectively to existing passwords forcing users to update passwords when they login again.
- expire all passwords forcing all users to reset their passwords after they next login.
Feature Requests, Suggestions and Comments
This feature is under development at the moment so we’re interested to take on any suggestions and feedback you may have.
As always, you can leave comments below and we’ll get back to you.
Note: The Pwned Password lookup feature will be a free feature within Shield, reflecting the generously free nature of the API that Troy Hunt has provided. Other password policy settings may be Pro-only upon release.