This repository was archived by the owner on Oct 12, 2022. It is now read-only.
This repository was archived by the owner on Oct 12, 2022. It is now read-only.
Respond to lists of user ids/passwords from other sites #1
Description
When a list of user ids (usernames/emails)/passwords from a compromised site is obtained, the system should facilitate
- Testing if a user used the same password on that other site in real time if the password is known.
- Testing the next time the users' correct password is entered if we only have a hash of the password (but know the hash function).
- Adding an attribute to the account so that it can be searched easily and so password-reset can be enforced.
- Revoking any cookies created after the suspected date of compromise or otherwise provide less benefit to having such a cookie.
- Optionally prevent all logins from clients that do not have cookies that predate the compromise.
- Track compromised passwords as a new type to use when penalizing blocking attacks. The use of a compromised password from an iP the user has logged in before may be an indicator that an IP is trying to login with these passwords.