Your LogonBox product has the ability to set limits on the types of passwords that your user's are able to have configured. This goes beyond the standard password policy settings and can be found in the Banned Passwords module. Password Breach Checking uses the Have I Been Pwned system for proactive checking of passwords.
The Have I Been Pwned service allows you to search across multiple data breaches that have been leaked from other organisations to see if your password has been compromised.
This service is safe to use and your password is not sent to this third party service. For more information see appendix.
Configuring the Have I Been Pwned Settings
Navigate to Security & Permissions->Password API.
These checks are Enabled by default.
For checks whilst resetting a password, Enable must be set to ON.
For checking the user's password each time they log in to My Account, the Proactive Password Breach Checking option must be ON.
The API Key option can be left blank and the system will use LogonBox's own connection to the API, if you have your own API Key (https://haveibeenpwned.com/API/Key) that you prefer to use then you can enter this here.
With this configured, LogonBox will perform checks of passwords every time they are reset by a user or an admin from the LogonBox UI. The Proactive portion of this will also perform the check when a user is logs on to My Account and will reject any passwords that are recognised as breached. For example, the password Qwerty123? is a known breached password, if we try to set this for one of the users it will be rejected.
The Rejection Message can also be configured in Security & Permissions->Password API if required.
Providing a password that is not blocked by the API will result in a successful password change/reset and a more secure login.
Appendix: How does this work?
When a user changes their password via LogonBox, the LogonBox server hashes the password and sends the first 5 characters of that hash to the Have I Been Pwned service.
The service returns a list of full hashes back to LogonBox, which then checks the full hashes for any match.
This method allows your newly set password to remain confidential.
