Thank you @andi 🙂
I see you are the developer of this passpolicy plugin.
On the webpage corresponding to this plugin I can read:
"Passwords can also be checked against a list of the 10,000 most commonly used ones.
Passwords can also be checked anonymously against the haveibeenpwned passwords API. "
I guess the plugin doesn't do yet what I need it to do (prevent the re-use of compromised passwords), right?
One way to do this, though, according to what I quoted above, would be to allow the admin to define a custom list of banned passwords. I don't know if the aforementioned list of the 10,000 most commonly used passwords is stored online or locally. If it's locally, maybe the admin could add passwords to this list in order to make sure they are not used. Otherwise (if it's online), maybe passpolicy could check passwords against a 3rd list: a local blacklist that the admin could manage.
Now, I imagine 2 scenarios:
1) the admin knows that UserX has his password compromised and the admin knows the password of UserX
-> the admin can manually add the password to the blacklist
2) the admin knows that UserX has his password compromised but the admin doesn't know the password of UserX
-> the admin should be able to tell the passpolicy plugin to blacklist the current password of UserX and force UserX to chose a new password.
What do you think?
Does this make any sense?
Is it something you might consider implementing?
Thanks again for everything 🙂
Best,
-a-