We've recently gone through a similar process. Initially, we had almost the exact same approach as shown in your video.
While we (nerds) liked it very much, our beta testers, not using a password manager, did not. Even the requirement for anything more than 8 characters could be a deal beaker for some.
In the end we scrapped the whole thing, and decided to require just 8 characters. But we check if the password is pwned and don't allow those that are. We check them again every month at login, and warn the user if the pwned status changes.
Good question. Yes, we need to know the plain text password. That's why we can only check the pwned status at signup and login. We never store or log plain text passwords, nor do we send them over a network. Checking with the Pwned API happens by hashing the password and sending just a part of the hash over to Pwned. So the plain text password only exists in memory for the duration of the signup or login request.
We've recently gone through a similar process. Initially, we had almost the exact same approach as shown in your video.
While we (nerds) liked it very much, our beta testers, not using a password manager, did not. Even the requirement for anything more than 8 characters could be a deal beaker for some.
In the end we scrapped the whole thing, and decided to require just 8 characters. But we check if the password is pwned and don't allow those that are. We check them again every month at login, and warn the user if the pwned status changes.
Hope that helps. :)
Doesn't checking if a password is pwnd require knowing a user's plaintext password? Isn't that a greater security risk?
Good question. Yes, we need to know the plain text password. That's why we can only check the pwned status at signup and login. We never store or log plain text passwords, nor do we send them over a network. Checking with the Pwned API happens by hashing the password and sending just a part of the hash over to Pwned. So the plain text password only exists in memory for the duration of the signup or login request.
Ah OK. I didn't realise you could check the hash at pwnd. That's pretty neat.