@melissasoding @grassdog I've looked at messaging done by others using HIBP and here is what stands out to me:
- they all appear to block users from using pwned password
- some delay mentioning HIBP like Kogan
- or they show it right away like EVE and a few others
I see no info on whether linking to HIBP as part of an error message makes for a distraction that takes users away from the funnle but my gut feeling is to want to delay talking about HIBP and linking to them to avoid that. So my suggestion are:
- block any pwned password even ones with a pwned count of <= 10 – I'm coming around to suggestions from the architecture guild folks to not allow any pwned passwords in the system. My thinking is if a hacker is serious about getting into an account they will probably check if it appears in breach data and they, more than likely, will try any leaked passwords against that account. In addition, I can not spot a service that warns users about choosing pwned password but not block them.