Pwned Passwords Validator
This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.
There is a blog article and live coding session recording available, but in Czech language only.
Basic use
- Install package
Altairis.Services.PwnedPasswordsValidator
. - Register the
PwnedPasswordsValidator
class in theConfigureServices
method of your startup class, ie. with the default settings:
services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();
Configuration
There is single configuration parameter and that's request timeout, which is by default 5 seconds. If the server does not respond within defined timeout, the password is allowed and error is logged.
To configure the timeout, inject the PwnedPasswordsValidatorOptions
class:
services.Configure<PwnedPasswordsValidatorOptions>(c => {
c.RequestTimeout = TimeSpan.FromSeconds(10);
});
Acknowledgements
- This tweet by Troy Hunt was my primary inspiration.
- The Creating a validator to check for common passwords in ASP.NET Core Identity article by Andrew Lock was another source.
- I'm using the Have I Been Pwned service by Troy Hunt
Author & Legal
- This project was created by Michal Altair Valášek
- I'm Microsoft MVP for Visual Studio and Development Technologies
- Licensed under terms of the MIT License
- This project has No Code of Conduct (NCoC)