People have a terrible habit of using the same password over and over and often times have no clue the password they use isn’t safe anymore. It’s also a common oversight to add this by most creators. Add a Setting to enable/disable of course.
I’ve used this as part of the Shield Security plugin. It’s a nice feature, definitely would be nice to have in the core. But can be easily done as a plugin.
Do you still think this should be in the core @james ?
I think this could be a good feature for our Security page, letting admin set site-wide settings and enforce them for all users.
The few options that make sense to offer:
Enforcement mode:
Notify - will notify user but not require new password
Require - will require user to pick a new password
And we might want to offer bulk option to select users and perform HIBP check.
Yes, this has my vote as a basic measure to improve password security.
An implementation should probably start as a research plugin anyway, and then evaluation of whether it should be included in core would happen separately.
GET https://api.pwnedpasswords.com/range/{first 5 hash chars}
Elsewhere on that page:
Authorisation is required for all APIs that enable searching HIBP by email address,
Searching based on password hash is not such an API, so it does not require authorisation/authentication.
We would probably still want to set up a proxy service for HIBP where we have sites query api-v1.classicpress.net and store the results on our servers. This would allow us to minimize the number of calls to their servers and also respond with an error if that service becomes unavailable at some point in the future.
I use bcrypt on all my sites too. I did open a PR for it soon after CP first started, but it didn’t get implemented because of a theoretical edge case which I’ve never seen occur. I’m wondering whether it might be worth looking at argon2 now instead; that doesn’t have the same theoretical edge case.