Thank you 🙂
On the webpage corresponding to this plugin I can read:
"Passwords can also be checked against a list of the 10,000 most commonly used ones.
Passwords can also be checked anonymously against the haveibeenpwned passwords API. "
I guess the plugin doesn't provide yet a way to prevent the re-use of "compromised" passwords, right? I mean passwords that users may have shared with others, for instance. Or passwords that are laying around, written on a post-it....
One way to do this, though, according to what I quoted above, would be to allow the admin to define a custom list of banned passwords. I don't know if the aforementioned list of the 10,000 most commonly used passwords is stored online or locally. If it's locally, maybe the admin could add passwords to this list in order to make sure they are not used. Otherwise (if it's online), maybe passpolicy could check passwords against a 3rd list: a local blacklist that the admin could manage.
Now, I imagine 2 scenarios:
- the admin knows that UserX has his password compromised and the admin knows the password of UserX
-> the admin can manually add the password to the blacklist
- the admin knows that UserX has his password compromised but the admin doesn't know the password of UserX
-> the admin should be able to tell the passpolicy plugin to blacklist the current password of UserX and force UserX to chose a new password.
What do you think?
Does this make any sense?
Is it something you might consider implementing?
Best,
-a-
Thank you 🙂
On the webpage corresponding to this plugin I can read:
"Passwords can also be checked against a list of the 10,000 most commonly used ones.
Passwords can also be checked anonymously against the haveibeenpwned passwords API. "
I guess the plugin doesn't provide yet a way to prevent the re-use of "compromised" passwords, right? I mean passwords that users may have shared with others, for instance. Or passwords that are laying around, written on a post-it....
One way to do this, though, according to what I quoted above, would be to allow the admin to define a custom list of banned passwords. I don't know if the aforementioned list of the 10,000 most commonly used passwords is stored online or locally. If it's locally, maybe the admin could add passwords to this list in order to make sure they are not used. Otherwise (if it's online), maybe passpolicy could check passwords against a 3rd list: a local blacklist that the admin could manage.
Now, I imagine 2 scenarios:
-> the admin can manually add the password to the blacklist
-> the admin should be able to tell the passpolicy plugin to blacklist the current password of UserX and force UserX to chose a new password.
What do you think?
Does this make any sense?
Is it something you might consider implementing?
Best,
-a-