Skip to content
/ PwnedPass Public

Client side js module to quickly check if a password has been compromised in past data breaches. Protect your users and boost your apps' security.

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jpxor/PwnedPass

BranchesTags

Repository files navigation

PwnedPass

PwnedPass is a client side js module to quickly check if a password has been compromised in past data breaches. Protect your users and boost your apps' security by warning against weak and insecure passwords.

Its small footprint and ease of use allows you to quickly and securely check a password against a large set of known exposed passwords from past data breaches. Exposed password data provided by https://haveibeenpwned.com/Passwords.

Demo

View live demo on jsfiddle.

Basic Usage

The check function accepts a plaintext password or an SHA-1 hash as its first parameter. A plaintext password will be hashed. The second parameter is a callback for when a match is found.

    PwnedPass.check(password, function(){
        console.log("this password was found in the haveibeenpwned password data");
    });

Extended Usage

Optionally, the second parameter can be an object with two callbacks: Pwned and Clean.

    // multiple callbacks
    PwnedPass.check(password, {
        Pwned: function(){ console.log("this password was found in the haveibeenpwned password data"); },
        Clean: function(){ console.log("this password is clean"); },
    });

If a plaintext password resembles an SHA-1 hash, then it wont be hashed automatically. You need to specify the ForceHash value in the second parameter object.

    // force sha1 hashing of input
    PwnedPass.check(password, {
        ForceHash: true,
        Pwned: function(){ console.log("this password was found in the haveibeenpwned password data"); },
    });

Browser Compatibility

The SHA-1 hashing relies on crypto.subtle (Specification status: Recommended). See its browser compatibility. If this does not suit your needs, you can use another solution to perform the hash, then provide PwnedPass with an SHA-1 hash instead of a plaintext password.

TextEncoder is also used for performing the SHA-1 hashing. See browser compatibility. As of this writing, it is not broadly supported, but there is a polyfill here: Polyfill for the Encoding Living Standard's API.

Some other JS features used (click for browser compatibility): Promises, async/await

Contributing

If you have feature requests or bug reports, feel free to help out by sending pull requests or by creating new issues.

License

PwnedPass is distributed under the terms and conditions of the MIT license. The "Have I Been Pwned?" Data and API is licensed under a Creative Commons Attribution 4.0 International License.

About

Client side js module to quickly check if a password has been compromised in past data breaches. Protect your users and boost your apps' security.

Topics

javascript security module js password haveibeenpwned

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 1

v1.0 Latest
Mar 7, 2018

Languages