Skip to content
This repository has been archived by the owner on Jul 16, 2021. It is now read-only.

Remove uncompromised() out of laravel core #2587

Closed
thyseus opened this issue Apr 27, 2021 · 4 comments
Closed

Remove uncompromised() out of laravel core #2587

thyseus opened this issue Apr 27, 2021 · 4 comments

Comments

@thyseus
Copy link

thyseus commented Apr 27, 2021

Please remove the new uncompromised() feature introduced in laravel/framework#36960 out of the laravel framework core. It is absolutely irresponsible to send the plain-text password, or even hashed password of any user registering to a third party service most proably without letting him know. I feel fine if there is a third party extension, but this potentially malicious design behaviour should not be promoted inside the laravel core.

Of course a developer is not forced to use this feature inside his application, but this behaviour should not be promoted. Please keep the way of handling of passwords agnostic and secure.
@base-zero
Copy link

base-zero commented Apr 27, 2021
edited

@thyseus I would highly recommned that you read over the code in Laravel that is used for this feature as nothing is sent in plain-text ! I would also recommned that your read the API docs for haveibeenpwned and you will see that security is the most important thing for this API and that its not as simple as sending hashs out to a 3rd party.

https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

Please read the docs and code to see how the system works and how security is bulit into the desgin of the system from the start, before scaremongering with incorrect comments.

@thyseus
Copy link
Author

thyseus commented Apr 27, 2021
edited

@base-zero thanks a lot for that link. I am going to inform myself about the security of that service. Just at first glance it just looked suspicious for me, but it looks like this service can be "trusted".

Since the laravel community seems to have much trust in this service, i will close this issue.

(btw it wasn´t my intention to scare anybody...)

@thyseus thyseus closed this as completed Apr 27, 2021
@lk77
Copy link

lk77 commented Apr 28, 2021

yeah you can trust it, only the first 5 characters of the hash is sent, you get hundreds of hashs back and you have to check for the hash you want yourself.

@thyseus
Copy link
Author

thyseus commented Apr 28, 2021

@lk77 exactly as i grasped this concept, my heart was reliefed... :)

but how about adding a prominent section about this fact somewhere to the documentation for other inexperienced developers to avoid this shock? Or placing the given cloudflare link somewhere in the laravel documentation about this topic ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thyseus @lk77 @base-zero