This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.
There is a blog article and live coding session recording available, but in Czech language only.
- Install package
Altairis.Services.PwnedPasswordsValidator
. - Register the
PwnedPasswordsValidator
class in theConfigureServices
method of your startup class, ie. with the default settings:
services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();
There are two configuration parameters:
RequestTimeout
- if the server does not respond within defined timeout (default is 5 seconds), the password is allowed and error is logged.GetLocalizedErrorMessage
- theFunc<string>
delegate that returns error message that is given toIdentityResult
returned. Default error message is "Password was found in haveibeenpwned.com password dumps." For localization scenarios, you'll most likely to load the string from resources.
To configure the options, inject the PwnedPasswordsValidatorOptions
class:
services.Configure<PwnedPasswordsValidatorOptions>(c => {
c.RequestTimeout = TimeSpan.FromSeconds(10);
c.GetLocalizedErrorMessage = () => "Your password has been pwned.";
});
- This tweet by Troy Hunt was my primary inspiration.
- The Creating a validator to check for common passwords in ASP.NET Core Identity article by Andrew Lock was another source.
- I'm using the Have I Been Pwned service by Troy Hunt
- This project was created by Michal Altair Valášek
- I'm Microsoft MVP for Visual Studio and Development Technologies
- Licensed under terms of the MIT License
- This project has No Code of Conduct (NCoC)