Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
Indeed… And from the eyes of a potential service who’s looking at this feature.
“Ew, a toggle that could potentially save me from liability because they’ll detect shitty passwords when I don’t have the manpower/developer time to implement that check in my server itself! Or pay for access to HIBP/other service for millions of requests a month.”…
This is low hanging fruit… And while I’m not the biggest fan of Cloudflare (I do use it only because it’s the “best option” I have for what I need). This isn’t it… This isn’t what you get mad about. Checking and disabling known compromised passwords is literally best practice… While this isn’t the “best” implementation. It is one that gets us closer to best practice with minimal effort, which means it’s more likely to actually be implemented. High barrier security features are simply ones that will never get implemented. Does this have it’s own risk? Sure… But I’d rather a known risk with a well known company that can be actively sued should they fail, vs “anonymous” who can dox, steal, harass, etc… with virtually no repercussion.
Because Cloudflare users enable the feature?
It’s literally opt-in.
Gross
Oh no, a toggle switch! Whatever will we do?!
Indeed… And from the eyes of a potential service who’s looking at this feature.
“Ew, a toggle that could potentially save me from liability because they’ll detect shitty passwords when I don’t have the manpower/developer time to implement that check in my server itself! Or pay for access to HIBP/other service for millions of requests a month.”…
This is low hanging fruit… And while I’m not the biggest fan of Cloudflare (I do use it only because it’s the “best option” I have for what I need). This isn’t it… This isn’t what you get mad about. Checking and disabling known compromised passwords is literally best practice… While this isn’t the “best” implementation. It is one that gets us closer to best practice with minimal effort, which means it’s more likely to actually be implemented. High barrier security features are simply ones that will never get implemented. Does this have it’s own risk? Sure… But I’d rather a known risk with a well known company that can be actively sued should they fail, vs “anonymous” who can dox, steal, harass, etc… with virtually no repercussion.