Ask HN: Thoughts on a website-embeddable, credential validating service? Reading Troy Hunt's password release V2 blog post [0], I came across the NIST recommendation to prevent users from creating accounts with passwords discovered in data breaches. This got me thinking: would a website admin (ex. small business owner with a custom website) benefit from a service that validates user passwords? The idea is to create a registration iframe with forms for email, password, etc., which would check hashed credentials against a database of data from breaches. Additionally, client-side validation would enforce rules recommended by the NIST's Digital Identity Guidelines [1], which would relieve admins from implementing their own rules. I'm sure there are additional security features that can be added. 1. Have you seen a need for this type of service, and could you see this being adopted at all? 2. Do you know of a service like this? I've looked, no hits so far. 3. Does the architecture seem sound? [0]: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ [1]: https://www.nist.gov/itl/tig/projects/special-publication-800-63 |