Password validation using Unpwn #2082
Conversation
Unpwn implements a bloom filter for the million most common passwords, thus preventing extraneous API calls. The latest version hasn’t been pushed to RubyGems yet.
|
I should probably release this, shouldn't I. Ok, going over to do that... |
Looks pretty good! Thanks for doing this!
What is the timeout for the remote http call? Can we configure it?
It would be neat to see a toxiproxy test to prove that a failed or slow api wouldn't impact our service, but I'm not sure how much work that would be.
|
Unpwned doesn't currently pass options down to I agree that 60 seconds is way too long, so I think that should be fixed before this is merged. I'd argue that something around 3 to 5 seconds would be acceptable. I've never used toxiproxy, so I don't really know how to go about adding a test using it… |
|
I created a PR on Unpwn to allow the timeout to be passed through: indirect/unpwn#2 |
It is not too much work, just add the service and call |
Okay, it is not too much work if the server was on localhost. Not sure how would one go about it for external service, perhaps override it to resolve to localhost using |
|
@matiaskorhonen ping me if you need any help with Toxiproxy, I can help you if needed or I can contribute that requested test if needed. |
|
@simi If you could write that test, that'd be great |
Also updates Unpwn to get support for request options
|
Aside from the Toxiproxy test, PR is pretty much ready to merge. I tried adding the Toxiproxy endpoint using the code below, but even after disabling certificate verification I only get 403's from the upstream. I suspect that the HTTP Host header or something is missing… if (Rails.env.test? || Rails.env.development?) && Toxiproxy.running?
port = 22_222
Toxiproxy.populate(
[
{
name: 'haveibeenpwned',
listen: "127.0.0.1:#{port}",
upstream: 'api.pwnedpasswords.com:443'
}
]
)
Pwned::Password::API_URL = "https://127.0.0.1:#{port}/range/"
end |
matiaskorhonen
force-pushed
the
unpwn
branch
2 times, most recently
from
fbcf161
to
443257f
Compare
|
Something seems to be wrong at Travis so the builds aren't working (operations are timing out while trying to setup the test environment). |
|
I have restarted the main build it looks ok now. |
|
Could this be merged? |
|
Thanks so much for all your work on this! |
Check if the password chosen by the user has already been compromised in a data breach.
This uses the Unpwn gem by Andre Arko as suggested in #2052.
Unpwn 1.0 hasn't been published to RubyGems.org yet, so this shouldn't be merged before that happens…The Pwned Passwords API “implements a k-Anonymity model that allows a password to be searched for by partial hash”.
You can read more about the k-Anonymity model in Troy Hunt's blog post about it, but the gist of it is that it allows passwords to be checked for breaches without revealing the password to a third party.
If the API cannot be reached or it errors out, the pwned password check is bypassed and the password is presumed to be valid.