Help Your Users to Not Get Pwned

The Busy Coder's Guide to Android Dev... The @hide Penny Drops

Help Your Users to Not Get Pwned

The indefatigable Troy Hunt �� publisher of the ��Have I Been Pwned?��
site, also has a site and Web service API called Pwned Passwords.
You can use this to check a candidate password to see if it has been used before��
in one of the many hacked credential dumps that Mr. Hunt has accumulated.

Mostly, this API will be of interest for Web sites and Web services that allow
users to create their own password-protected accounts. You can rapidly check
the user��s candidate password to see if has already been pwned, perhaps rejecting
it if it has.

There will be scenarios where you want to check this client-side, though:

Your Android team can move faster than your Web service team, and so you would
like to check for pwnage on the client side now, while waiting for the Web
service team to integrate the check on their side

The password will be used for files that mostly will remain local on the device,
but might be published somewhere, using the supplied password as part of an
encryption scheme

You want to integrate pwnage checking into your Android-based password safe

And so on

The Pwned Passwords Web service API is fairly straightforward. There are two
modes, one where you submit the actual password, and one where you submit the
first five characters of the SHA-1 hash of the password. That latter case is
more private, in that you don��t give Mr. Hunt your user��s password. While
Mr. Hunt surely wouldn��t use that information, he is Australian, and
cockatoos there have a remarkable interest in Internet connectivity,
and you wouldn��t want your users password in the, um, claws of a rogue
cockatoo.

Besides, shipping passwords over the Internet unnecessarily is just uncool.

This Java class
uses OkHttp and RxJava to let you check a password for pwnage. If you get back
0, then all is well. A positive number represents the number of times that
password occurs in Mr. Hunt��s database. Whether you reject the password for
any positive value, or only for a value that exceeds some threshold, is up to
you. It uses the SHA-1 hash approach, and so the password itself does not
leave the device.

The class is lightly tested, so YMMV, but it��s a starting point for you to
use for crafting your own on-device access to the Pwned Passwords. And, a variation
on this class might show up in a sample app in a book
at some point. Just sayin��.

View more on Mark L. Murphy's website »

Like • 0 comments • flag

Published on February 28, 2018 07:39

No comments have been added yet.

Mark L. Murphy's Blog

Mark L. Murphy's profile
8 followers