Preflight checklist
Ory Network Project
N/A
Describe your problem
Kratos already supports checking passwords against the HaveIBeenPwned (HIBP) Pwned Passwords API during registration and password changes. However, a password that was clean at registration time may appear in a future breach dump. Users who never change their password remain unknowingly exposed indefinitely.
NIST SP 800-63B and Microsoft's guidance both recommend checking passwords against breach corpora not only at creation time but also on subsequent authentications. Without this, Kratos cannot proactively detect or act on credentials that become compromised after they were set.
Describe your ideal solution
Extend the existing HIBP password check to also run on every successful password login attempt (after the password is verified, so the check is only made for valid credentials).
Behavior when the password is found in a breach at login time should be configurable. Reasonable options are:
- Warn only: allow the login to succeed but set a flag on the session or identity so the UI can prompt the user to change their password.
- Force password change: redirect the user to a mandatory password-change flow before granting a full session.
- Block login: deny the login and require the user to recover their account via the recovery flow.
The check should reuse the existing HIBP integration (k-anonymity, rate-limit handling, ignore_network_errors flag) so no new external dependencies are introduced.
Example config addition:
password:
haveibeenpwned:
enabled: true
# existing registration/change behavior:
max_breaches: 0
ignore_network_errors: true
# new: also check on login
check_on_login: true
on_login_breach: warn # warn | force_change | blockWorkarounds or alternatives
- Operators can use webhooks on the login flow to call HIBP themselves, but this is complex to implement correctly and not available to all deployments.
- Periodic background jobs that re-check stored (hashed) passwords are not feasible because Kratos only stores bcrypt hashes — the plaintext is only available at login time.
Version
latest
Additional context
Preflight checklist
Ory Network Project
N/A
Describe your problem
Kratos already supports checking passwords against the HaveIBeenPwned (HIBP) Pwned Passwords API during registration and password changes. However, a password that was clean at registration time may appear in a future breach dump. Users who never change their password remain unknowingly exposed indefinitely.
NIST SP 800-63B and Microsoft's guidance both recommend checking passwords against breach corpora not only at creation time but also on subsequent authentications. Without this, Kratos cannot proactively detect or act on credentials that become compromised after they were set.
Describe your ideal solution
Extend the existing HIBP password check to also run on every successful password login attempt (after the password is verified, so the check is only made for valid credentials).
Behavior when the password is found in a breach at login time should be configurable. Reasonable options are:
The check should reuse the existing HIBP integration (k-anonymity, rate-limit handling,
ignore_network_errorsflag) so no new external dependencies are introduced.Example config addition:
Workarounds or alternatives
Version
latest
Additional context
selfservice/strategy/password/validator.go