Overview

Documentation

Description

Module that makes use of the Have I Been Pwned API service made by Troy Hunt. 

With this module it is easy to find easily breached accounts and on what platform they were breached based on the data that is in the Have I Been Pwned database. All cracked passwords from all of the these breaches have been put in a gigantic (hashed) database itself and can be queried as well which will return the number of occurrences.  

Typical usage scenario

You want to check whether accounts in your app have been breached to enforce better security or a password reset
You want to make sure your users aren’t using passwords that have been found in breaches before.

Features and limitations

• The breached account API is rate limited at one request per 1500ms, there is an automatic retry mechanism with a delay based on the response the API gives back. 
• There is no support for the Paste breaches, Single breached sites, Data classes, or all Breaches.
• For more information about the API use go to https://haveibeenpwned.com/API/v3 or read one of Troy’s latest blog posts about the security misconceptions of Pwned Passwords

Dependencies

• Mendix 8.12.6
• Community Commons
• HIBP API key (for using the Breaches API) 

Installation

• Breaches:
  • Use the SUB_Account_CheckForBreaches microflow
  • Set Error Handling on the mircoflow to handle errors from the API gracefully
• Pwned Passwords
  • Use PasswordSettings snippet to set your preferred password policy
  • Use the PasswordNotBreached rule to check if the Password is inline with the set password policy. 

Configuration

• Breaches:
  • Fill the API key
  • Decide if you want to use Full or Truncated responses
  • Add the name of your app as the User Agent
• Pwned Password
  • Make sure you set the StrictnessPolicy in the Setting