Pwned Passwords Check

Problem this snippet solves:

This snippet makes it possible to use Troy Hunt’s ‘Pwned Passwords’ API. By using this API one can check if the password being used was exposed in earlier data breaches. You can use this information to deny access to highly secure resources or to force a user to first change it’s password to one that isn’t known to be exposed to earlier data breaches. Or you could choose to just to inform a user that it would be wise to change it’s password.

It’s good to note that the password itself will not be shared while using this API. This snippet uses a mathematical property called k-anonymity. For more information about k-anonymity and Troy Hunt’s ‘Pwned Passwords’ API see:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

This snippet also uses Patt-tom McDonnell’s hibp-checker node package.

How to use this snippet:

Prepare the BIG-IP

  • Provision the BIG-IP with iRuleLX.
  • Create LX Workspace: hibp
  • Add iRule: hibp-irule
  • Add Extension: hibp-extension
  • Add LX Plugin: hibp-plugin -> From Workspace: hibp

Install the node.js hibp-checker module

# cd /var/ilx/workspaces/Common/hibp/extensions/hibp-extension/
# npm install hibp-checker --save
/var/ilx/workspaces/Common/hibp/extensions/hibp-extension
└── hibp-checker@1.0.0 
#
irule

To make it works, you need to install the irule on the Virtual Server that publish your application with APM authentication.

access profile

If you already have an existing access profile, you will need to modify it and include some additionnal configuration in your VPE. If you have no access profile, you can starts building your own based on the description we provide below.

Configuring the Visual Policy Editor

The printscreen below is an example Visual Policy Editor on how you can use the Pnwed Password snippet.

VA – Force Password Change

This is a Variable Assignment agent that triggers APM to show a Change Password window. Set variable: 

session.logon.last.change_password
to Custom Expression: 
expr { 1 }

VA – Get Password

This is a Variable Assignment agent that copies the password to a session variable that can be read by the hibp irule. Set variable: 

session.custom.hibp.password
to Custom Expression: 
return [mcget -secure {session.logon.last.password}]

IE - HIBP

This is an irule event with the ID set to ‘hibp’. This will trigger the hibp_irule to come into action.

EA – HIBP Verdict

This is an Empty Action with two branches. The branch named "Not Pwned" contains the following expression : 

expr { [mcget -nocache {session.custom.hibp.status} ] == 0 }

MB – Exposed Password

This is a message box that will inform the user that it’s password was exposed in earlier data breaches and a password change is needed. The message could be something like this:

The password you are using was found in %{session.custom.hibp.status} data breaches. In order to be compliant with our security policy, you must change your password.

hibp_irule
when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id ] eq "hibp" } {

        set password [ACCESS::session data get session.custom.hibp.password]
        set failonerror 0

        if { $password eq "" } {
            log local0. "Error: no password set"
            ACCESS::session data set session.custom.hibp.status $failonerror
            return
        }

        set rpc_handle [ ILX::init hibp-plugin hibp-extension ]
        if {[ catch { ILX::call $rpc_handle -timeout 12000 hibpCheck $password } result ] } {
            log local0. "hibpCheck failed. ILX failure: $result"
            ACCESS::session data set session.custom.hibp.status $failonerror
            return
        }

        ACCESS::session data set session.custom.hibp.status [expr { $result }]
    }
}

Code :

var f5 = require('f5-nodejs');
const checkPassword = require('hibp-checker');

// Create a new rpc server for listening to TCL iRule calls.
var ilx = new f5.ILXServer();

ilx.addMethod('hibpCheck', function(req, res) {
    var password = req.params()[0];
    
    var breachCount = checkPassword(password);
    
    breachCount.then(function(result) {
        return res.reply(result);
    }, function(err) {
        return res.reply(err);
    });

});

// Start listening for ILX::call and ILX::notify events.
ilx.listen();

Tested this on version:

13.0
Updated Jun 06, 2023
Version 2.0
api
APM
application delivery
devops
irule
password
pwned

Was this article helpful?

15 Comments

Sort By
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Mar 06, 2018

    Hi Niels,

    This worked great, but I had to make a few adjustments before everything would load, when following your example in the preparation step. I got an error similar to this:

    01070151:3: Rule [/Common/hibp_plugin/hibp_irule] error: Unable to find app_project (hibp-plugin) referenced at line 13: [ILX::init hibp-plugin hibp-extension]

    I had to change 

    set rpc_handle [ ILX::init hibp-plugin hibp-extension ]
    to 
    set rpc_handle [ ILX::init hibp_plugin hibp_extension ]
    before I could commit the changes.

    Otherwise this works great and I'm considering putting it to use.

    Thanks.

    Josh Becigneul

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 07, 2018

    Hi Josh,

     

    Thanks for your feedback! Happy to know someone finds this snippet useful :-) I've corrected the installation instructions.

     

    Kind regards,

     

    Niels

     

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Mar 09, 2018

    Hi Niels,

    I'm having trouble testing this on v12.1.3, it seems that the value obtained by hibp-checker doesn't make it back to the iRule. The version of node supplied is v0.12.15.

    The function call for breachCount.then() doesn't appear to return a value to ILX::call despite the Pwned API call retrieving data.

    breachCount.then(function(result) {
    console.log(result); // logs the value retrieved
    return res.reply(result); 
},

    Any thoughts?

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 09, 2018

    Hi Josh,

    I'm not running v12.1.3, so it's not easy to reproduce for me. I did test with node v0.12.15 on version 13.1.0.2 without any problems. See here the logging:

    Mar  9 16:43:18 nielsvs-bigip info sdmd[7344]: 018e0017:6: pid[3433]  plugin[/Common/hibp-plugin.hibp-extension] 0
Mar  9 16:44:59 nielsvs-bigip info sdmd[7344]: 018e0017:6: pid[3433]  plugin[/Common/hibp-plugin.hibp-extension] 354
Mar  9 16:45:22 nielsvs-bigip info sdmd[7344]: 018e0017:6: pid[3433]  plugin[/Common/hibp-plugin.hibp-extension] 0

    Did you also log on 

    function(err)
    ?

    Kind regards,

    Niels

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Mar 12, 2018

    session.custom.hibp.password is not required for this use case and exposes the users password in clear text in log files and in core dumps.

     

    Instead, you can code and eliminate the extra VPE agent.

     

    set password [ACCESS::session data get -secure session.logon.last.password]
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 12, 2018

    @Walter,

    I thought like you and I tested it. 

    set password [ACCESS::session data get -secure session.logon.last.password]
    command returns no password. it seems F5 blocked this command to get password variable for security reasons (there are some questions on DC with same result)

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Mar 12, 2018

    Odd, as I use this method in other irules to extract passwords to re-insert in HTTP Headers for Basic Auth SSO.

     

  • lnxgeek's avatar
    lnxgeek
    Icon for MVP rankMVP
    Apr 17, 2018

    This is just awesome piece of work!

     

    For iRuleLX newbies (myself included) I will add a couple of hints to the tutorial.

     

    The "hibp_irule" goes under iRules inside the LX Workspace "hibp" and not like I did in the beginning putting them where the "normal" iRules goes. Like this:

     

    Second, the code piece (the actual iRuleLX) goes into the "index.js" in the tree like this:

     

    And last but not least in the VPE you need to edit the macro settings of "Authenticate and Check Password" to allow at least 2 loops otherwise the variable assignment "session.logon.last.change_password" doesn't initiate a change password process and just fails (ends up in deny). Also the "loop" ending isn't available to you when you build it before this is adjusted. This is what it looks like:

     

    Hopefully others will be spared the tedious hours of banging your head against the wall of malfunction, thus this cartoon post :-)

     

    Even if iRuleLX is still a black voodoo box for me this example really show the tremendous potential this tool wheels.

     

    Nodejs guys please keep posting so others like me can learn! :-)

     

    P.S. I don't know how to scale the pictures to fit the post width....

     

  • EricBrokeIt_245's avatar
    EricBrokeIt_245
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2018

    Is there an easy way to test this without having to give a user a terrible password, or is there a troubleshooting process? I ask cause I keep hitting pwned even with randomly generated complex passwords, pwned every time on 12.x. I can only assume its in the IE HIBP or the HIBP Verdict, any easy way to test those components?