Risk passwords

You can achieve higher password quality and a higher level of security by using risk passwords for password validation.

Hundreds of millions of real world passwords previously exposed in data breaches is collected as risk passwords. By validating that the leaked passwords are not reused, you significantly increase the level of password security.

The risk passwords are uploaded ones per FoxIDs deployment in the master tenant and can be used in all tenants and environments.

1) Download risk passwords (pwned passwords)

Download the SHA-1 pwned passwords in a single file from haveibeenpwned.com/passwords using the PwnedPasswordsDownloader tool.

Be aware that it takes some time to download all risk passwords.

2) Upload risk passwords to FoxIDs

You then upload the risk passwords with the FoxIDs seed tool console application.

Download the FoxIDs.SeedTool-x.x.x-win-x64.zip or FoxIDs.SeedTool-x.x.x-linux-x64.zip file from the FoxIDs release and unpack the seed tool.

Configure the Seed Tool

The seed tool is configured in the appsettings.json file.

Access to upload risk passwords is granted in the master tenant.

Create a seed tool OAuth 2.0 client in the FoxIDs Control Client:

  1. Login to the master tenant
  2. Select the Applications tab
  3. Click New Application
  4. Click Backend Application
    1. Select Show advanced
    2. Add a Name e.g., Seed tool
    3. Set the Client ID to foxids_seed
    4. Click Register
    5. Remember the Client secret.
    6. Click Close
  5. Click on your client registration in the list to open it
  6. In the Resource and scopes section - This will granted the client access to the master tenant
    1. Click Add Resource and scope and add the resource foxids_control_api
    2. Then click Add Scope and add the scope foxids:master
  7. Select Show advanced
  8. In the Issue claims section - This will granted the client the tenant administrator role
    1. Click Add Claim and add the claim role
    2. Then click Add Value and add the claim value foxids:tenant.admin
  9. Click Update

FoxIDs Control Client - seed tool client

Add your FoxIDs and FoxIDs Control API endpoints and client secret and local risk passwords (pwned passwords) file to the seed tool configuration.

"SeedSettings": {
    "FoxIDsEndpoint": "https://foxidsxxxx.azurewebsites.net",
    "FoxIDsControlEndpoint": "https://foxidscontrolxxxx.azurewebsites.net",
    "ClientSecret": "xxx",
    ...
    "PwnedPasswordsPath": "c:\\... xxx ...\\pwned-passwords-sha1-ordered-by-count-v4.txt"
}

Run the Seed Tool

  1. Start a Command Prompt
  2. Run the seed tool with SeedTool.exe
  3. Click U to start uploading risk passwords

The risk password upload will take a while.

3) Test

You can read the number of risk passwords uploaded to FoxIDs in FoxIDs Control Client master tenant on the Settings / Risk Passwords tap. And you can test if a password is okay or has appeared in breaches.