The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?
Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!
--
Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords
Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/
New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html
Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn
@philnash/pwned: https://github.com/philnash/pwned.js
Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw