This project is ASP.NET Identity Password Validator that checks candidate password against Pwned Passwords by Troy Hunt. If the password is found in leaked passwords, it's refused.

There is a blog article and live coding session recording available, but in Czech language only.

1. Install package Altairis.Services.PwnedPasswordsValidator.
2. Register the PwnedPasswordsValidator class in the ConfigureServices method of your startup class, ie. with the default settings:

services.AddDefaultIdentity<IdentityUser>()
    .AddDefaultUI(UIFramework.Bootstrap4)
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddPasswordValidator<PwnedPasswordsValidator<IdentityUser>>();

There is single configuration parameter and that's request timeout, which is by default 5 seconds. If the server does not respond within defined timeout, the password is allowed and error is logged.

To configure the timeout, inject the PwnedPasswordsValidatorOptions class:

services.Configure<PwnedPasswordsValidatorOptions>(c => {
    c.RequestTimeout = TimeSpan.FromSeconds(10);
});

• This tweet by Troy Hunt was my primary inspiration.
• The Creating a validator to check for common passwords in ASP.NET Core Identity article by Andrew Lock was another source.
• I'm using the Have I Been Pwned service by Troy Hunt

• This project was created by Michal Altair Valášek
• I'm Microsoft MVP for Visual Studio and Development Technologies
• Licensed under terms of the MIT License
• This project has No Code of Conduct (NCoC)