Looking for the Diagnostic Utility?

Click Here For Download and Usage Instructions

HaveIBeenPwned? Integration for Password Change and Password Reset


Problem

You want to check new passwords against the HaveIBeenPwned? database to address any potential security concerns. 

Solution

Either enable the Native HaveIBeenPwned? Integration or add it to your PortalGuard Implementation

Quick Navigation

Requirements for Native HaveIBeenPwned? Integration Usage

Steps to Enable the Native HaveIBeenPwned? Integration

  1. Navigate to the PortalGuard server and open the following file in an administrative text editor:
    • C:\inetpub\PortalGuard\_layouts\images\PG\js\pg_custom.js
  2. Search the file for 'var g_bUseHIBP'.
  3. Set the variable to 'true'.
  4. Save the file. 
  5. In the same administrative text editor, open the following file:
    • C:\inetpub\PortalGuard\PG_Custom_dotNET_Text.inc
  6. Edit the value of the 'PG_RSRC_TIME' variable to reflect the current date/time:
  7. Save the file. 
  8. Navigate to your PortalGuard website and attempt to set/reset your Password to one that appears on HaveIBeenPwned?

Add HaveIBeenPwned? Support to a pre v6.2.3.4 PortalGuard Environment

  • NOTE: The JS functions for adding HaveIBeenPwned? support can be found in the attached .txt file
  • IMPORTANT: It is HIGHLY RECOMMENDED that you make these changes in a TEST or DEVELOPMENT environment first in order to validate.  
    • In any case, be sure to take a BACKUP of the 'C:\inetpub\PortalGuard' folder just in case. 
  1. Navigate to the PortalGuard server and open the following file in an administrative text editor:
    • C:\inetpub\PortalGuard\_layouts\images\PG\js\pg.js
  2. Search the file for 'function doesPWStartWithLTSign'.
  3. Add the new 'doesPWContainIllegalChars' function above the existing one:
  4. Save the changes to this file. 
  5. In the same administrative text editor, open the following file:
    • C:\inetpub\PortalGuard\_layouts\images\PG\js\pg_custom.js
  6. Scroll to the very bottom of the file and add the following JS variable and function:
  7. Search for 'function preResetPasswordHandler' and modify the function to resemble the following:
  8. Search for 'function preSetPasswordHandler' and modify the function to resemble the following:
  9. Save the file. 
  10. In the same administrative text editor, open the following file:
    • C:\inetpub\PortalGuard\_layouts\PG\login.aspx
  11. Search the file for 'For Announcements' and add the following JS reference in a new line directly above the comment:
    • <script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha1/0.6.0/sha1.min.js" type="text/javascript"></script>
        • NOTE: Depending on your PortalGuard Version, your 'login.aspx' file may not have quote so many lines as shown in the screenshot.  The important part is to ensure the new 'script' element comes AFTER the 'pg_custom.js' reference.
  12. Save the file.
  13. In the same administrative text editor, open the following file:
    • C:\inetpub\PortalGuard\_layouts\PG\changepw.aspx
  14. Search the file for the '<head>' element and add the SAME JS reference from step #11 somewhere AFTER the 'pg_custom.js' reference:
    • <script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha1/0.6.0/sha1.min.js" type="text/javascript"></script>
  15. Save the file. 
  16. Navigate to your PortalGuard website and attempt to set/reset your Password to one that appears on HaveIBeenPwned?

REV. 05/2020 | PortalGuard

  • 134
  • 29-May-2020
  • 55 Views