Security Tip: Should You Block Compromised Passwords?
[Tip#13] Blocking Compromised (Pwned) Passwords forces your users to use strong passwords, but is it the right choice for your app?
š¤ Learn to Think Like a Hacker with my hands-on practical security course: Practical Laravel Security! šµļø
ā ļø Need a security audit but don't have the budget for a full penetration test? Book in a Laravel Security Review! šµļø
Passwords are the digital keys that keep user accounts safe, but passwords only work when they are secret and unguessable. The classic āfixā is to impose password complexity rules, but who here hasnāt simply added a 1
or !
(or both) onto the end of the password they wanted to use?
Password complexity rules and complexity indicators are superficial fixes that donāt solve the root problem: users are lazy and reuse the same passwords everywhere.
The problem with reusing passwords is simple: If user reuses the same password on multiple sites (i.e. A, B, & C) and site A is compromised and has stored passwords insecurely, the hacker now has a working
username:password
combination to use on siteās B & C.These passwords are known as Compromised or āPwnedā Passwords.
To prevent users from using compromised passwords, we can use the excellent Pwned Passwords service by Troy Hunt, which aggregates passwords from data breaches and provides a secure1 way to check if passwords have been pwned or not.
The Laravel Password Validation Rule comes with an `uncompromised()`
method, which we can use to easily validate passwords and prevent the use of pwned/compromised passwords when users create accounts or change passwords:
$validator = Validator::make($request->all(), [
'password' => [
'required',
'confirmed',
Password::min(8)->uncompromised()
],
]);
Itās super simple to use, so thereās no reason not to use itā¦ right?
Thereās always a butā¦
You canāt simply add the `uncompromised()`
rule into your validator and consider the job done. When the validator fails on user registration, this is the message your users will see2:
'The given :attribute has appeared in a data leak. Please choose a different :attribute.'
If your audience are all technical folks, they should know what a ādata leakā is and why passwords are important, so this message will probably make them laugh and theyāll pick a new password. Job done. š
But what if they are non-technical? They might not know what a ādata leakā is, or how to use a password manager, and they may reuse the same password everywhere. If they hit this message, there is a good chance theyāll simply go elsewhere and find one of your competitors3 to sign up for with their terrible password.
Donāt get me wrong, Iām not saying you shouldnāt use the `uncompromised()`
password rule, but I think you need to take it a step further. We need to encourage our users to use secure passwords, and to do so, we need to teach them what a secure password is.
Educate Your Technical Users
If your users are technical, you can expand on the validation message to provide links to resources like Pwned Passwords and extra FAQ entries. This is something that StefƔn Jƶkull Sigurưarson did at EveOnline very successfully:
Help Your Non-Technical Users
If your users are non-technical, maybe make it soft-fail, and allow them to use a pwned password but add extra authentication steps in or provide information for them to read about passwords and encourage them to update their password4. In addition, a magic link sent via email is easy second layer of authentication you could employ to keep their accounts safe, and shifts the burden of authentication onto their email providers - who likely have much bigger security budgets than you!
Finally, donāt forget that SMS-based Multi-Factor Authentication is not insecure5. Itās far more secure than using a password on itās own, and itās also incredibly accessible for non-technical users who wouldnāt know where to start with a authentication app. So donāt be afraid to implement SMS MFA as an option6!
If youāve got anything to add to the discussion around pwned passwords, want me to clarify anything, or maybe you disagree with me, please jump into the comments and let your thoughts be known! Iād love to get a discussion going to dive into this topic further. š
Despite all of the security advice of āNever provide your password to a third-partyā, the Pwned Passwords service is safe and secure and you can use it to check passwords.
See https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity for more information why itās safe to use.
With worse security
Some ānon-technicalā users would love to learn more but just donāt know where to start!
SMS MFA attacks are specifically targeted against high value targets, not normal users. Plus, the āSMS MFAā insecurity is usually an insecure password reset that bypasses the password entirely anyway.
You should throw app-based MFA (TOTP), and Passkeys in there tooā¦ but if you only have time to implement one type of MFA, consider which is the most suitable for your userbase.