Ory uses the "Have I Been Pwned" (HiBP) API to check if the password a user registers with has been part of a breach. This feature is enabled by default and checks passwords against the HiBP breach database. This way, Ory makes sure your users can't use passwords like "password", "123456" or any other commonly used one. The [range API](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange) is used to protect the value of the password. If you want to disable this feature, you can use the Ory CLI to toggle it:

bash ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

In some environments, if it's difficult to establish egress connectivity to non-approved hosts, you can host the HiBP API yourself and configure Kratos to use your own instance. Here's how you can configure Kratos to use your API:

yaml selfservice:     methods:       password:         config:           haveibeenpwned_host: api.private.host

However, this feature is not directly related to the recovery flow. The recovery flow is used to allow users to recover access to their accounts. It's used in conjunction with the settings flow and when a recovery flow is submitted, a session is issued to the application, allowing the user to reset their password and update their profile information on the settings page. Sources: - [Password policy - Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check) - [Hosting your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api) - [Recovery flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#recovery)

Based on the provided knowledge sources, there is no direct information about enabling breached password checks for passwords set through the admin API. However, Ory does provide a feature to check passwords against the "Have I Been Pwned" (HiBP) API during user registration. This feature is enabled by default and can be toggled using the Ory CLI:

bash ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

If you want to use this feature in a restricted environment, you can host the HiBP API yourself and configure Kratos to use your own instance:

yaml selfservice:     methods:       password:         config:           haveibeenpwned_host: api.private.host

For more specific control over password checks during admin API operations, you may need to refer to the Ory documentation or community for further guidance. Sources: - [Password policy - Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check) - [Hosting your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api)

Yes, by user registration, it typically refers to self-registration where a new user signs up for an account on their own. In the context of Ory, there are two main API endpoints related to user registration: 1. `GET /self-service/registration/api`: This endpoint initiates a registration flow for API clients such as mobile devices, smart TVs, etc. It should not be used in client-side or server-side browser applications as it can make you vulnerable to CSRF attacks. This endpoint is intended for scenarios such as native mobile apps. More details can be found in the [Ory API Reference](https://www.ory.sh/docs/reference/api). 2. `GET /self-service/registration/browser`: This endpoint initializes a browser-based user registration flow. It sets the appropriate cookies and anti-CSRF measures required for browser-based flows. If a valid user session exists already, the browser will be redirected to a default redirect URL. More details can be found in the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). Remember, the actual registration of a new user is done by sending a

POST

request to the

/self-service/registration

endpoint with the user's traits and password. This endpoint behaves differently for API and browser flows. More details can be found in the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api).

Based on the provided knowledge sources, there is no direct information about enabling breached password checks for passwords set through the admin API. The Ory Kratos system does provide a feature to check passwords against the "Have I Been Pwned" (HiBP) API during user registration. This feature is enabled by default and can be toggled using the Ory CLI:

bash ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

However, this feature is primarily designed for self-service registration and it's not clear from the provided sources if it applies to the admin API as well. For more specific control over password checks during admin API operations, you may need to refer to the Ory documentation or community for further guidance. Sources: - [Password policy - Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check) - [Hosting your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api)

During the settings flow, if the Have I Been Pwned (HiBP) API is not available, the password update process may fail. The HiBP API is used by Ory Kratos to check if the password a user is trying to set has been part of a breach. If the API is not available, this check cannot be performed. The HiBP API could be unavailable due to several reasons such as: - Network connectivity issues between your Ory Kratos instance and the HiBP API. - The HiBP API itself is down or experiencing issues. - Your Ory Kratos instance is operating in an environment where it can't communicate with the HiBP API at haveibeenpwned.com due to various CISO policies. If you're operating in such an environment and there's a requirement to check if passwords have been leaked, you can host the HiBP API yourself and configure Kratos to use your own instance. Here's how you can configure Kratos to use your API:

yaml selfservice:     methods:       password:         config:           haveibeenpwned_host: api.private.host

Alternatively, this feature can be disabled altogether. However, by doing so you will significantly decrease the security of the service and not follow NIST guidelines. Sources: - [Hosting your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api) - [Password policy - Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check)

CISO stands for Chief Information Security Officer. CISO policies refer to the rules and guidelines set by the CISO in an organization to ensure the security and integrity of information and data. These policies can cover a wide range of areas including network security, data privacy, risk management, and incident response. In the context of Ory Kratos and the Have I Been Pwned (HiBP) API, a CISO policy might restrict outbound network connections from the environment where Kratos is running. This could be due to a variety of reasons such as: - The organization has a strict policy against connecting to external APIs due to security concerns. - The organization's network is behind a firewall that blocks outbound connections. - The organization operates in a region where access to certain internet resources is restricted or censored. In such cases, the HiBP API might be unavailable for Kratos to use. To work around this, you can host the HiBP API yourself and configure Kratos to use your own instance:

yaml selfservice:     methods:       password:         config:           haveibeenpwned_host: api.private.host

Remember, these are just examples and the actual reasons can vary based on the specific policies and network setup of your organization. Sources: - [Hosting your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api) - [Password policy - Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check)

If you need a new endpoint in Ory, you can request it by creating a new issue in the relevant Ory project on GitHub. Here are the links to the discussion boards for each major project: - [Ory Kratos discussions](https://github.com/ory/kratos/discussions) - [Ory Hydra discussions](https://github.com/ory/hydra/discussions) - [Ory Keto discussions](https://github.com/ory/oathkeeper/discussions) - [Ory Oathkeeper discussions](https://github.com/ory/oathkeeper/discussions) Before creating a new issue, please make sure to check if a similar request has already been made. If it has, you can contribute to the existing discussion. You can also join the [Ory Community Slack](https://slack.ory.sh/) to discuss your needs with other Ory users and contributors. Source: [Ory Community resources](https://www.ory.sh/docs/ecosystem/community)

On the [Ory Community Slack](https://slack.ory.sh/), there are various channels dedicated to different topics. You can post your question in the relevant channel based on the Ory project you're working with. For example, if your question is about Ory Kratos, you can ask in the #kratos channel. If you're unsure about which channel to use, you can start by posting your question in the #general channel. The community members or the Ory team can then guide you to the appropriate channel if needed. Remember to provide as much detail as possible about your request when you post your question. This will help others understand your needs and provide more accurate responses. Source: [Ory Community resources](https://www.ory.sh/docs/ecosystem/community)