Remove `uncompromised()` out of laravel core

[thyseus]

Please remove the new uncompromised() feature introduced in laravel/framework#36960 out of the laravel framework core. It is absolutely irresponsible to send the plain-text password, or even hashed password of any user registering to a third party service most proably without letting him know. I feel fine if there is a third party extension, but this potentially malicious design behaviour should not be promoted inside the laravel core.

Of course a developer is not forced to use this feature inside his application, but this behaviour should not be promoted. Please keep the way of handling of passwords agnostic and secure.

[base-zero]

@thyseus I would highly recommned that you read over the code in Laravel that is used for this feature as nothing is sent in plain-text ! I would also recommned that your read the API docs for haveibeenpwned and you will see that security is the most important thing for this API and that its not as simple as sending hashs out to a 3rd party.

https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

Please read the docs and code to see how the system works and how security is bulit into the desgin of the system from the start, before scaremongering with incorrect comments.

[thyseus]

@base-zero thanks a lot for that link. I am going to inform myself about the security of that service. Just at first glance it just looked suspicious for me, but it looks like this service can be "trusted".

Since the laravel community seems to have much trust in this service, i will close this issue.

(btw it wasn´t my intention to scare anybody...)

[lk77]

yeah you can trust it, only the first 5 characters of the hash is sent, you get hundreds of hashs back and you have to check for the hash you want yourself.

[thyseus]

@lk77 exactly as i grasped this concept, my heart was reliefed... :)

but how about adding a prominent section about this fact somewhere to the documentation for other inexperienced developers to avoid this shock? Or placing the given cloudflare link somewhere in the laravel documentation about this topic ?