Troy Hunt has an interesting feature over on Introducing 306 million freely downloadable pwned passwords.
All the passwords that have been in a breach are searchable.
If there is a hit, it's either out there or someone else make the same password selection as you did (decreasing security).
But there's also a section on how to utilise this for Identity Management.
When you ask the user to select a password, check it against this list and reject if there is a hit.
Azure AD uses a similar approach where they reject all "common" passwords.
Enjoy!
No comments:
Post a Comment