This example shows how to enforce a password change in the case of a weak password, by using the Scriptable Step. Upon each end-user login, the script checks via the haveibeenpwned website whether the password has been breached. If yes, the end-user is forced to change their password.
A breached password is a password that has been previously exposed in data breaches. This exposure poses a substantial risk to the end-user's account(s), as the now-known password may be misused in cyber attacks such as credential stuffing or password spraying. Credential stuffing occurs when a malicious person tries out great numbers of breached username/password pairs to fraudulently gain access to a specific user account. Password spraying is a tactic where a hacker attempts to break into multiple target accounts by using the same single breached password.
The script described here prevents the above attacks by forcing the end-user to change their password in the case of a breach. No compromised passwords will be used to access your application, making your system more secure.
- This is how the script works:
- Upon end-user login, the script takes the end-user's password and hashes it with SHA1. Thus, the real password is not revealed during the password check.
- Next, the script sends the first 5 characters of the password hash, i.e., the hash prefix, to the website haveibeenpwned. This website returns the hash suffixes of all known passwords that have the same hash prefix as the end-user's password. The script then checks whether the full hash of the end-user's password matches the full hash of one or more of the returned passwords. If yes, the end-user password has been breached.
- If a password breach occurred, an acknowledge message step informs the end-user about the number of breaches, and prompts the end-user to change their password. At the same time, a red flag (step) is raised, which in turn triggers the mandatory password change step.
- If the end-user's password has not been breached, the end-user can log in normally.
For more details on how the breach check works, see haveibeenpwned API.
For more information on red flags, see Red flags.