Could you please consider removing or at least enable on/off globally, by group or by user for the DATA breach, weak password check and notification toast.
We use Passbolt to store of wide range of PINs, Passwords, keys and other strings - MANY, MANY of which do not (nor would we want them) to conform to this restrictive, specific usage of passbolt passwords.
Additionally, at the rate of current data breaches, EVERY combination of 8 characters or less will be registered in PAWND within a few years.
Finally, this is a waste of network and computing resources - looking up every password against the PAWND API every time an entry is added or edited.
Those who understand the weak/breach toast are already fully aware for the need to use appropriately strong password (WHERE POSSIBLE OR APPLICABLE) and those who dont understand the notification often misunderstand the message and contact the technical team worried the password has been been ‘breached’.
We have already written custom code to rip out this check - but its annoying to have to re-apply it after each update.
1 Like
Hi @Cordeos, can’t you simply disable it in administrtion ➤ Password Policy ➤ External services?
1 Like
No. You can’t. Not sure what version you are on - but none of our dozen implemenations have this option or ability. Did you try this before posting this suggestion?..
This option is not available in CE version.
In PRO version… its even worse, the option is there - but replaces it with an alternative warning toast dialog message:
“This option allows the administrators to choose rather if a secret should be checked against an external service or not. If this option is disabled, a warning message is shown to the user to inform them that the current secret could be leaked in a database but their Passbolt application cannot verify that.”
And the warning pop-up is shown not just for leak lookups.
As always, we had to add yet another code-side customization to fix this. Now passing a CONSTANT to nullify the checks.
Hi @Cordeos,
Thank you for your valuable feedback. I wasn’t aware that the notification toast was your primary concern, as my focus has been on the mobile app rather than this feature from the title. I tried to reduce some inconvenience by avoiding external API calls, and I’m sorry if this didn’t fully address your needs. Also, now I get that this isn’t an option in the Community Edition.
Passbolt has since released an updated Browser Extension. You can now leave the Passphrase field empty and use the Note field (previously Description) with the same security level, without triggering notifications. For more details, please check: https://community.passbolt.com/t/passbolt-5-ui-redesign/12717#p-30417-new-resource-createedit-dialogs-14. It is on CE as well, this time I checked. 
I know it’s not perfect, so maybe we can loop in @antony to dig into better solutions?
Appreciate the follow up. To be clear, yes the notice/toast is a major issue but it is also the background resources used unnecessarily and the feature for the sake of a feature aspect to it. This type of ‘feature’ in a password management is not reasonably useful in 80% of normal uses cases. From this ‘feature’, we used to get at least ONE CALL PER DAY from users worried their account was hacked, their 6-digit device access PIN was leaked or dont understand what they should do with this scary security alert. Most regular non-IT users dont understand it and it freaks them out. Until we axed it. Remember, within a few years EVERY character combination will be part of a breach. Its already pretty close to that.
Dont get me wrong… Passbolt is AMAZING… it is the absolutely best platform out there by a wide margin (over the past 6-7 years we have relentlessly tried them all!).
but there are a few painful issues which has continually forced us to roll-our-own custom versions with ‘adjustments’. This is one of them.
Another one is the default opening to list of ALL password. Senior staff often have access to most or many password and in a system with 12000+ password entries… every Passbolt open (by dozens of people, dozens of times per hour) is a bit of a drain on server and local browser. We changed it ‘favorites’ and move the ALL items to the bottom. Would be nice to have user profile level preference choice.
others are:
finding, cleaning, notice for orphaned entries
export/import function enable or disable by user or group member
lastly is a background process to automatically add a super group owner (or user) to all entries which ensures there are never orphaned entries and that you can always export the full, complete list of saved passwords to an encrypted USB to place in a fire proof safe or bank deposit box just by selecting all the password for the superuser.
1 Like
