/hibp-adfs

Add a HaveIBeenPwned check to your ADFS themes

Primary LanguageJavaScriptMIT LicenseMIT

hibp-adfs

This script gets the sha1 hash of the submitted password and checks it against the phenomenally wonderful HaveIBeenPwned API. Pwned passwords will result in a warning message and the end user will not be able to continue login (without fiddling around with developer tools). You may set a minimum threshold of password pwnage, 1 being most stringent.

2022-04-01 12_07_58-Sign In - Brave

Install

  • Set the min_pwnage to your desired amount
  • Set the change_password_url, or set it to an empty string
  • Add the contents of this js file to the end of your ADFS theme's onload.js file. Microsoft docs

Considerations

  • There is no check to verify the submitted password is correct, that comes after the API call.
  • If the HaveIBeenPwned API is unavailable or unresponsive from the end user's perspective, the login will continue without the check.
  • If the API call takes longer than 2 seconds to complete, the check is aborted and the login will continue.