The Pwned Passwords Password Validator uses the Pwned Passwords service to determine whether a proposed password is known to have been compromised in a leak or data breach.
The Pwned Passwords service uses the k-Anonymity algorithm to ensure that proposed passwords are not exposed or otherwise compromised in the course of checking to determine whether they have been included in a breach. To accomplish this, the validator computes an unsalted SHA-1 digest of the proposed password, and sends the first five characters of the hexadecimal representation of that digest to the service. The service will then identify all compromised passwords whose SHA-1 digests start with those five characters, and returns the last 35 characters of the hexadecimal representations of those matching digests.
The Pwned Passwords Password Validator component inherits from the Password Validator
The following components have a direct aggregation relation from Pwned Passwords Validators:
The properties supported by this managed object are as follows:
| Description | A description for this Password Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the password validator is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
validator-requirement-description
| Description | Specifies a message that can be used to describe the requirements imposed by this password validator to end users. If a value is provided for this property, then it will override any description that may have otherwise been generated by the validator. |
| Default Value | The requirement description will be automatically generated by the password validator. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies a message that may be provided to the end user in the event that a proposed password is rejected by this validator. If a value is provided for this property, then it will override any failure message that may have otherwise been generated by the validator. |
| Default Value | The requirement description will be automatically generated by the password validator. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The base URL for requests used to interact with the Pwned Passwords service. The first five characters of the hexadecimal representation of the unsalted SHA-1 digest of a proposed password will be appended to this base URL to construct the HTTP GET request used to obtain information about potential matches. |
| Default Value | https://api.pwnedpasswords.com/range/ |
| Allowed Values | An absolute URL, or a relative URL |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to an HTTP proxy server that should be used for requests sent to the Pwned Passwords service. |
| Default Value | No HTTP proxy server will be used. |
| Allowed Values | The DN of any HTTP Proxy External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum length of time to wait to obtain an HTTP connection. |
| Default Value | 30 s |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum length of time to wait for a response to an HTTP request. |
| Default Value | 30 s |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this password validator should be used to validate clear-text passwords provided in LDAP add requests. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this password validator should be used to validate clear-text passwords provided by an end user in the course of changing their own password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this password validator should be used to validate clear-text passwords provided by administrators when changing the password for another user. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
accept-password-on-service-error
| Description | Indicates whether to accept the proposed password if an error occurs while attempting to interact with the Pwned Passwords service. If this property is set to true and the Pwned Passwords service is unavailable or returns an error response, then this Pwned Passwords Password Validator will assume that the proposed password is acceptable, although it may still be rejected by other validators configured in the server. If this property is set to false and the Pwned Passwords service is unavailable or returns an error response, then this Pwned Passwords Password Validator will reject the proposed password, regardless of its content. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies which key manager provider should be used to obtain a client certificate to present to the validation server when performing HTTPS communication. This may be left undefined if communication will not be secured with HTTPS, or if there is no need to present a client certificate to the validation service. |
| Default Value | None |
| Allowed Values | The DN of any Key Manager Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies which trust manager provider should be used to determine whether to trust the certificate presented by the server when performing HTTPS communication. This may be left undefined if HTTPS communication is not needed, or if the validation service presents a certificate that is trusted by the default JVM configuration (which should be the case for the Pwned Password servers). |
| Default Value | None |
| Allowed Values | The DN of any Trust Manager Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Validators:
dsconfig list-password-validators
[--property {propertyName}] ...
To view the configuration for an existing Password Validator:
dsconfig get-password-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Validator:
dsconfig set-password-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Pwned Passwords Password Validator:
dsconfig create-password-validator
--validator-name {name}
--type pwned-passwords
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Validator:
dsconfig delete-password-validator
--validator-name {name}