@melissasoding @grassdog I've looked at messaging done by others using HIBP and here is what stands out to me:
- they all appear to block users from using pwned password
- some delay mentioning HIBP like Kogan
- or they show it right away like EVE and a few others
I see no info on whether linking to HIBP as part of an error message makes for a distraction that takes users away from the funnle but my gut feeling is to want to delay talking about HIBP and linking to them to avoid that. So my suggestion are:
-
block any pwned password even ones with a pwned count of <= 10 – I'm coming around to suggestions from the architecture guild folks to not allow any pwned passwords in the system. My thinking is if a hacker is serious about getting into an account they will probably check if it appears in breach data and they, more than likely, will try any leaked passwords against that account. In addition, I can not spot a service that warns users about choosing pwned password but not block them.
-
keep the message short and sweet like This password is known to be leaked on the Internet and potentially used by hackers. Please choose a different one. Then maybe this article on
New Password Not Accepted
can be extended to describe this error message.
What do you think?
Also here are the examples I see:
I dug this out of thier source code since I didn't want to install NextCloud anywhere
'Password is present in compromised password list. Please choose a different password.'
makes a security plugin for Wordpress
Possibly the most 80s looking UI ever