Check password on "Have I been Pwned" API
=========================================
This plugin can be used to check your password against the `HIBP API `_.
It is used in:
- :doc:`password change`
- :doc:`password reset by mail`
Configuration
-------------
Browse the Manager web interface for this configuration.
You have to enable the :doc:`local password policy ` in ``General Parameters > Portal > Customization > Password policy`` for the plugin to work:
- **Activation**: on
- **Display policy in password form**: on
Then enable the checkHIBP plugin in ``General Parameters > Advanced parameters > Security > Check HIBP API``:
- **Activation**: Enable / Disable this plugin
- **Have I Been Pwned URL**: URL of I have been pwned API (default to ``https://api.pwnedpasswords.com/range/``)
- **Require HIBP check to pass**: Is the HIBP check required to pass? (default to ``Off``)
Usage
-----
When enabled, ``/checkhibp`` route is added to LemonLDAP API.
It will check new user passwords on Have I Been Pwned API and
display a warning message if it is compromised.
.. note::
The URL parameter is mandatory, and there is no default value.