Client Validator for MVC (both Core and Framework) that validates passwords against the https://haveibeenpwned.com/ password database. It will not tell how many times a password has been used as it is not relevant. If it has been leaked, it should not be used again.
In the models that you want to check (hint:
ChangePasswordViewModel are good candidates)
and decorate the appropriate properties with the Hibp attribute:
[Hibp("This password has been exposed in password leaks, please choose another", "Checking password...")]
Make sure to add
sha1.js to one of your bundles or directly to your form pages:
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha1/0.6.0/sha1.js" integrity="sha256-LmIVkNdxjrHbViQZD9LSewZc+3rU/alc7P/UJj6mUPc=" crossorigin="anonymous"></script> <script src="~/scripts/hibpvalidator.js"></script>
Why should you use this instead of something like: https://www.nuget.org/packages/Matrixsoft.PwnedPasswords/
Since this is a client validator, it runs in the users browser. This creates a better user experience (it is faster) and the bandwith is reduced from the server. It is damn easy to implement.
Obviously this is a small wrapper for the massive work done by Troy Hunt:
The package is in live use on these sites (make a PR if you know more)