Micro-learning web app

As a software developer at TheMasters software house, I was delegated to work with Qstream, on a fixed scope of work. Client had an application for corporate clients, that allowed to to create Q&A sets to enhance their employees’ knowledge and skills about their industry and the company itself.

My primary responsibility involved addressing security vulnerabilities within the Rails application, which were well-documented in Jira with detailed descriptions and active technical discussions.

A significant part of my role involved enhancing the security of the user registration and password change workflows. The existing page had a password strength meter to prevent the use of weak passwords. The client wanted to extend this by ensuring users did not select passwords known to be compromised.

The initial task description outlined the problem and desired outcome without suggesting specific solutions. After researching potential approaches, I proposed using the external service provided by haveibeenpwned.com to verify if a given password was compromised.

To address client’s concerns about sending actual passwords to an external service, I clarified how the service works, mainly that we would only send a part of the hashed password. The service, in turn, would return a list of hashes containing that part and that are known as compromised. Which we would then compare with our full hash.

Following client approval, I implemented the solution. I spend significant efforts on error handling, implementing fallback mechanisms to mitigate potential HTTP connectivity issues, timeouts, and other disruptions between the application and the external service. So that the UX would remained uninterrupted even in case of the external service failures.