Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check haveibeenpwned API during password reset and account creation #170

Merged
merged 3 commits into from
Mar 12, 2025
Merged

Check haveibeenpwned API during password reset and account creation #170

merged 3 commits into from
Mar 12, 2025

Conversation

jamesmorrison
Copy link
Member

Description of the Change

Verify new password against the Have I Been Pwned API during password change (on profile or via reset process)

Closes #77

How to test the Change

Changing password through profile

  1. Login to WP and access you profile
  2. Scroll down to "Set New Password" and enter something in a breach (e.g. london123)
  3. Scroll down to the "Update Profile" button
  4. If need be, remove the disabled attribute on the Update Profile button - this is added through JS when a "weak" password is identified
  5. Save and confirm you see the error: "The password entered may have been included in a data breach and is not considered safe to use. Please choose another." - note you may also see another error stating "Password must be medium strength or greater." (ignore this, but be aware of correlation between weak passwords and data breaches, in many cases both errors will show

Reset password process

  1. Navigate to WP login and run through the password reset process
  2. Open the link in the email
  3. In the new password field enter something in a breach (e.g. london123)
  4. If need be, remove the disabled attribute on the Save Password button - this is added through JS when a "weak" password is identified
  5. Save and confirm you see the error: "The password entered may have been included in a data breach and is not considered safe to use. Please choose another." - note you may also see another error stating "Password must be medium strength or greater." (ignore this, but be aware of correlation between weak passwords and data breaches, in many cases both errors will show

Changelog Entry

Added - Verify new password against the Have I Been Pwned API during password change (on profile or via reset process)

Credits

Props @jamesmorrison

Checklist:

darylldoyle
darylldoyle requested changes Dec 11, 2024
View reviewed changes
darylldoyle
darylldoyle previously approved these changes Feb 6, 2025
View reviewed changes
@darylldoyle
Copy link
Contributor

Tested using the password: hellomyfrien which was confirmed as pwned using https://haveibeenpwned.com/Passwords

image

@darylldoyle darylldoyle self-requested a review March 12, 2025 13:14
@darylldoyle darylldoyle merged commit ed335dd into develop Mar 12, 2025
5 checks passed
@darylldoyle darylldoyle deleted the feature/77-add-haveibeenpwned-check-during-password-validation branch March 12, 2025 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darylldoyle darylldoyle darylldoyle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Check haveibeenpwned API during password reset and account creation
2 participants
@jamesmorrison @darylldoyle