Hello everybody What is the default value for `max breaches` Ory Community #talk-kratos

Hello everybody What is the default value for `ma...

cuddly-plastic-72839

08/18/2023, 10:26 AM

Hello everybody What is the default value for

max_breaches

bland-eye-99092

08/18/2023, 10:31 AM

Looking at the code, it’s 0. https://github.com/ory/kratos/blob/master/driver/config/config.go#L1361 (if the value is not supplied, the config library returns 0).

limited-photographer-61008

08/18/2023, 12:11 PM

Max value 100 😂

cuddly-plastic-72839

08/18/2023, 12:31 PM

Thank you @bland-eye-99092

bland-eye-99092

08/18/2023, 12:33 PM

LOL! I don’t think there is a practical reason for that

red-daybreak-60329

08/23/2023, 8:22 AM

Where did you get this file which is in the image that tells you about all the configuration?

limited-photographer-61008

10/04/2023, 2:18 PM

@bland-eye-99092 circling back to this. I noticed in our Ory Network project identity configs, that

max_breaches

is set to

by default. Does this mean that the password is allowed to have been in one breach?

bland-eye-99092

10/04/2023, 3:46 PM

yes that’s correct. Not sure why we have it on 1 🤔 You can set it to 0, to disallow any breached passwords.

limited-photographer-61008

10/04/2023, 4:01 PM

Ok, I’ll go through my projects and set them all to

. I think it would be a good idea to make that the default for any new project. We had a pen tester tell us that the “leaked password check didn’t seem to be functioning”. So it could be that, or I’m wondering if due to the

ignore_network_errors: true

, they overwhelmed the system or something and the passwords weren’t being checked properly. I’ll try to get more info.

bland-eye-99092

10/04/2023, 4:03 PM

I think it would be a good idea to make that the default for any new project.

Agreed. Thanks for pointing this out.

I’ll try to get more info.

That would be great.

limited-photographer-61008

10/04/2023, 4:10 PM

I just set

max_breaches

, and now there is no longer a value in the identity-config used to be

Copy code

"password": {
  "config": {
    "haveibeenpwned_enabled": true,
    "identifier_similarity_check_enabled": true,
    "ignore_network_errors": true,
    "max_breaches": 1,
    "min_password_length": 10
  },
  "enabled": true
},

But now is

Copy code

"password": {
  "config": {
    "haveibeenpwned_enabled": true,
    "identifier_similarity_check_enabled": true,
    "ignore_network_errors": true,
    "min_password_length": 10
  },
  "enabled": true
},

Can you please verify that the value is

now?

bland-eye-99092

10/04/2023, 4:11 PM

Yes, if it’s not rendered it falls back to 0. https://github.com/ory/kratos/blob/master/driver/config/config.go#L1362 You should be able to verify by registering with “test123” for example.

limited-photographer-61008

10/04/2023, 4:12 PM

thanks

3 Views

Open in Slack

Previous Next