elsparkodiablo
Active member
Getting the following error: "API failure when attempting to validate password, please try again shortly" that traces to the pwned password validation. This just started in the last week.
- Fix password checks could incorrectly apply when resetting a user's password
Authorisation
Authorisation is required for all APIs that enable searching HIBP by email address, namely retrieving all breaches for an account and retrieving all pastes for an account. An HIBP subscription key is required to make an authorised call and can be obtained on the API key page. The key is then passed in a "hibp-api-key" header:
GET https://haveibeenpwned.com/api/v3/{service}/{parameter} hibp-api-key: [your key]
You haven't given the actual connection error, this actually matters for determining the issue.Apparently the pwned service now requires you to purchase an api key if you are requesting more than every 1500ms or something, it's $3.5 a month. I'm not seeing where to plug that in however.
Disable the "On login; alert the user if they have a known compromised password" option to fully disabled the pwned password integration.Also getting this error in the server logs despite pwned not being enabled at this time
This error is unrelated to the the pwned password API, you appear to be using an outbound HTTP proxy setup which isn't working correctly.
- ErrorException: cURL error 56: Received HTTP code 500 from proxy after CONNECT (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
Where would I find the connection error as I do not see it in the error codes being generated in the Xenforo server error log
ErrorException: cURL error 56: Received HTTP code 500 from proxy after CONNECT
The ranged look up doesn't require an API key, even for heavy query loads. Further, the add-on caches the looked up hash chunks for ~7 days which dramatically reduces the number of requests.Xon is there going to be a place to plug in the api key for haveibeenpwned since we generate so many requests?
That's great! Though I don't completely understand. Could you point me in the direction of instructions on how to set up haveibeenpwned?The password complexity and other rules can only be checked when a login event (or registration event) occurs as this is the only time the non-hashed password is known.
This add-on already supports doing a haveibeenpwned check on login, which does enable pushing the user to change from a known compromised password and force email 2fa is no other 2fa is setup.
Ensure "pwned password password validation" is set under "Password check types", and check "On login; alert the user if they have a known compromised password". Then consider if you want "Force email two factor authentication on compromised password" to be usedThat's great! Though I don't completely understand. Could you point me in the direction of instructions on how to set up haveibeenpwned?
I've got those checked. But it sounds like those are for known compromised passwords. How do I force them to increase the password strength if their password is weak? And, What does password cache time do? Thanks!Ensure "pwned password password validation" is set under "Password check types", and check "On login; alert the user if they have a known compromised password". Then consider if you want "Force email two factor authentication on compromised password" to be used
Please LMK!I've got those checked. But it sounds like those are for known compromised passwords. How do I force them to increase the password strength if their password is weak? And, What does password cache time do? Thanks!
That isn't supported, the password cache time is how often hash chunks are fetched from haveibeenpwned and is to limit how much traffic is required. I recommend 5-7 days for that which should be the default.I've got those checked. But it sounds like those are for known compromised passwords. How do I force them to increase the password strength if their password is weak? And, What does password cache time do? Thanks!
We use essential cookies to make this site work, and optional cookies to enhance your experience.