Pwned Passwords Password Validator

The Pwned Passwords Password Validator uses the Pwned Passwords service to determine whether a proposed password is known to have been compromised in a leak or data breach.

The Pwned Passwords service uses the k-Anonymity algorithm to ensure that proposed passwords are not exposed or otherwise compromised in the course of checking to determine whether they have been included in a breach. To accomplish this, the validator computes an unsalted SHA-1 digest of the proposed password, and sends the first five characters of the hexadecimal representation of that digest to the service. The service will then identify all compromised passwords whose SHA-1 digests start with those five characters, and returns the last 35 characters of the hexadecimal representations of those matching digests.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Pwned Passwords Password Validator component inherits from the Password Validator

Relations from This Component

The following components have a direct aggregation relation from Pwned Passwords Validators:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 validator-requirement-description
 validator-failure-message
 pwned-passwords-base-url
 http-proxy-external-server
 http-connect-timeout
 http-response-timeout
 invoke-for-add
 invoke-for-self-change
 invoke-for-admin-reset
 accept-password-on-service-error
 key-manager-provider
 trust-manager-provider

Basic Properties

description

Description
A description for this Password Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the password validator is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

validator-requirement-description

Description
Specifies a message that can be used to describe the requirements imposed by this password validator to end users. If a value is provided for this property, then it will override any description that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

validator-failure-message

Description
Specifies a message that may be provided to the end user in the event that a proposed password is rejected by this validator. If a value is provided for this property, then it will override any failure message that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

pwned-passwords-base-url

Description
The base URL for requests used to interact with the Pwned Passwords service. The first five characters of the hexadecimal representation of the unsalted SHA-1 digest of a proposed password will be appended to this base URL to construct the HTTP GET request used to obtain information about potential matches.
Default Value
https://api.pwnedpasswords.com/range/
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

http-proxy-external-server

Description
A reference to an HTTP proxy server that should be used for requests sent to the Pwned Passwords service.
Default Value
No HTTP proxy server will be used.
Allowed Values
The DN of any HTTP Proxy External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

http-connect-timeout

Description
The maximum length of time to wait to obtain an HTTP connection.
Default Value
30 s
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

http-response-timeout

Description
The maximum length of time to wait for a response to an HTTP request.
Default Value
30 s
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

invoke-for-add

Description
Indicates whether this password validator should be used to validate clear-text passwords provided in LDAP add requests.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

invoke-for-self-change

Description
Indicates whether this password validator should be used to validate clear-text passwords provided by an end user in the course of changing their own password.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

invoke-for-admin-reset

Description
Indicates whether this password validator should be used to validate clear-text passwords provided by administrators when changing the password for another user.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

accept-password-on-service-error

Description
Indicates whether to accept the proposed password if an error occurs while attempting to interact with the Pwned Passwords service. If this property is set to true and the Pwned Passwords service is unavailable or returns an error response, then this Pwned Passwords Password Validator will assume that the proposed password is acceptable, although it may still be rejected by other validators configured in the server.
If this property is set to false and the Pwned Passwords service is unavailable or returns an error response, then this Pwned Passwords Password Validator will reject the proposed password, regardless of its content.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

key-manager-provider

Description
Specifies which key manager provider should be used to obtain a client certificate to present to the validation server when performing HTTPS communication. This may be left undefined if communication will not be secured with HTTPS, or if there is no need to present a client certificate to the validation service.
Default Value
None
Allowed Values
The DN of any Key Manager Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

trust-manager-provider

Description
Specifies which trust manager provider should be used to determine whether to trust the certificate presented by the server when performing HTTPS communication. This may be left undefined if HTTPS communication is not needed, or if the validation service presents a certificate that is trusted by the default JVM configuration (which should be the case for the Pwned Password servers).
Default Value
None
Allowed Values
The DN of any Trust Manager Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Validators:

dsconfig list-password-validators
     [--property {propertyName}] ...

To view the configuration for an existing Password Validator:

dsconfig get-password-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Validator:

dsconfig set-password-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Pwned Passwords Password Validator:

dsconfig create-password-validator
     --validator-name {name}
     --type pwned-passwords
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Validator:

dsconfig delete-password-validator
     --validator-name {name}