Prevent users from using compromised passwords
When a user attempts to update their password through the Change passwords (PSS) module, Bravura Security Fabric can be configured to check the password to a list of compromised passwords.
The Functional.hid_password_policy_haveibeenpwned component introduces an update to the Password Policy that will compare the password change to the "Have I been pwned?" (haveibeenpwned) list of known compromised passwords. The password update will not be allowed to proceed if a match is found.
Requirements
By default, the component works only for DEFAULT password policy. If you want to apply the plugin to other policies, copy the component to Custom folder and update the manifest.xml file by replacing the <resourceid> tag value from DEFAULT to the customized password policy ID (2 places). e.g.
<provides_for>
<resourceid>CUSTOM_PWPOL</resourceid>
</provides_for>The component code will connect to endpoint https://api.pwnedpasswords.com/range/<password hash prefix>. Ensure that the site is added into the firewall rule to whitelist the site. otherwise, the plugin will fail with timeout error.
Example
Install
Functional.hid_password_policy_haveibeenpwned.This component automatically configures the Require the password to be approved by this plugin password rule to use the
plugin_check_password.pyplugin.Optional: Click Manage external data store > hid_global_configuration to configure the component’s proxy, timeout, and reject_on_connection_failure settings to suit your environment, if necessary.
Log into Bravura Security Fabric as a user and navigate to the Change passwords (PSS) module.
Attempt to change the user’s password to one verified to be compromised and verify that the change password button is disabled.
Attempt to change the user’s password to an uncompromised one and verify that the change password button is enabled and the password update is allowed to proceed.
See Managing Components for more information on installing components.