Pwned Passwords Validator

This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.

There is a blog article and live coding session recording available, but in Czech language only.

Basic use

Install package Altairis.Services.PwnedPasswordsValidator.
Register the PwnedPasswordsValidator class in the ConfigureServices method of your startup class, ie. with the default settings:

services.AddDefaultIdentity<IdentityUser>()
    .AddDefaultUI(UIFramework.Bootstrap4)
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();

Configuration

There is single configuration parameter and that's request timeout, which is by default 5 seconds. If the server does not respond within defined timeout, the password is allowed and error is logged.

To configure the timeout, inject the PwnedPasswordsValidatorOptions class:

services.Configure<PwnedPasswordsValidatorOptions>(c => {
    c.RequestTimeout = TimeSpan.FromSeconds(10);
});

Acknowledgements

This tweet by Troy Hunt was my primary inspiration.
The Creating a validator to check for common passwords in ASP.NET Core Identity article by Andrew Lock was another source.
I'm using the Have I Been Pwned service by Troy Hunt

Author & Legal

This project was created by Michal Altair Valášek
I'm Microsoft MVP for Visual Studio and Development Technologies
Licensed under terms of the MIT License
This project has No Code of Conduct (NCoC)

About

ASP.NET Identity Password Validator against Pwned Passwords by Troy Hunt

MIT License

Languages

Language:C# 73.2%Language:HTML 23.0%Language:CSS 3.1%Language:JavaScript 0.6%