has_unpublished_password

Adds a new validation for ActiveRecord, 'has_unpublished_password'


License
MIT
Install
gem install has_unpublished_password -v 0.2.0

Documentation

HasUnpublishedPassword

What is it?

This is a gem which performs offline checks against the HIBP master list (well, the top 11,000,000 passwords in it).

It can be used to ensure that your users are not using credentials which have previously been leaked.

The checks are performed using a pre-built bloom filter.

Why not the full list?

There's a tradeoff to be made between the false positive rate, the number of passwords checked, and the amount of disk/network bandwidth used.

The full list is ~11gb compressed, and the smallest bloom filter that'll get an acceptable false positive rate on the full list is ~1gb. This gem is 32mb.

Status

In use in production on a fairly large site (https://radiopaedia.org).

The released version of this gem includes ~30mb of bloom filter containing the top 11,200,000 most-leaked passwords according to HIBP.

Checking set membership is fast, and the false positive rate is about 0.001%.

Installation

Add this line to your application's Gemfile:

gem 'has_unpublished_password'

And then execute:

$ bundle

Or install it yourself as:

$ gem install has_unpublished_password

Usage

Validation

validates :password, never_leaked_to_hibp: true

Development

Building the filter

First, download the master list from HIBP (I used the 'ordered by frequency' list) and decompress it.

Then, run bundle exec data/prepare-and-validate.rb <path-to-master-list-file>.

This takes quite awhile; it'll print how many lines it's completed periodically.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/danielheath/has_unpublished_password. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the HasUnpublishedPassword project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.