Skip to content
ASP.NET Identity Password Validator against Pwned Passwords by Troy Hunt
C# HTML CSS JavaScript
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Altairis.Services.PwnedPasswordsValidator.Tests
Altairis.Services.PwnedPasswordsValidator
DemoWebApplication
.gitignore
Altairis.Services.PwnedPasswordsValidator.sln
CODE_OF_CONDUCT.md
LICENSE
NuGet-64x64.png
README.md

README.md

NuGet Status

Pwned Passwords Validator

This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.

There is a blog article and live coding session recording available, but in Czech language only.

Basic use

  1. Install package Altairis.Services.PwnedPasswordsValidator.
  2. Register the PwnedPasswordsValidator class in the ConfigureServices method of your startup class, ie. with the default settings:
services.AddDefaultIdentity<IdentityUser>()
    .AddDefaultUI(UIFramework.Bootstrap4)
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();

Configuration

There is single configuration parameter and that's request timeout, which is by default 5 seconds. If the server does not respond within defined timeout, the password is allowed and error is logged.

To configure the timeout, inject the PwnedPasswordsValidatorOptions class:

services.Configure<PwnedPasswordsValidatorOptions>(c => {
    c.RequestTimeout = TimeSpan.FromSeconds(10);
});

Acknowledgements

Author & Legal

You can’t perform that action at this time.