New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OTP PIN blacklist #1428

Open
cornelinux opened this Issue Feb 6, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@cornelinux
Copy link
Member

cornelinux commented Feb 6, 2019

We already have otp pin contents policies:
https://privacyidea.readthedocs.io/en/latest/policies/user.html#otp-pin-contents

Why not provide an OTP PIN blacklist?

The blacklist could contain the compromised passwords of major password leaks.
Or it could contain customer specific entries.
Administrators could manage the blacklist.

The question is:

  • Plain file?
  • plain entries or hashed passwords?
  • how to handle the blacklisted passwords? In the token database, so that it gets synced in an HA setup?
    • in a berkley DB or redis?
  • Add passwords to blacklist via command line or REST API?

@cornelinux cornelinux added the idea ! label Feb 6, 2019

@plettich

This comment has been minimized.

Copy link
Contributor

plettich commented Feb 6, 2019

What about checking against a different (internal) service?
How do i.e. Linux distros check for bad passwords? Maybe we can utilize these tools.

@cornelinux

This comment has been minimized.

Copy link
Member Author

cornelinux commented Feb 6, 2019

Yes, there is an online-service from haveIbeenpwned, that fetches part of the hashes of passwords.
I think it would be great if we could combine both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment