This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.
There is a blog article and live coding session recording available, but in Czech language only.
- Install package
Altairis.Services.PwnedPasswordsValidator
. - Register the
PwnedPasswordsValidator
class in theConfigureServices
method of your startup class, ie. with the default settings:
services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();
There is single configuration parameter and that's request timeout, which is by default 5 seconds. If the server does not respond within defined timeout, the password is allowed and error is logged.
To configure the timeout, inject the PwnedPasswordsValidatorOptions
class:
services.Configure<PwnedPasswordsValidatorOptions>(c => {
c.RequestTimeout = TimeSpan.FromSeconds(10);
});
- This tweet by Troy Hunt was my primary inspiration.
- The Creating a validator to check for common passwords in ASP.NET Core Identity article by Andrew Lock was another source.
- I'm using the Have I Been Pwned service by Troy Hunt
- This project was created by Michal Altair Valášek
- I'm Microsoft MVP for Visual Studio and Development Technologies
- Licensed under terms of the MIT License
- This project has No Code of Conduct (NCoC)