Password Have I Been Pwned
by Scott Euser



This extension extends the Bolt password check on login to also check Have I Been Pwned API V2. If the password has been used in known security breaches it blocks the login with an appropriate message.

## Config

Please see /app/config/extensions/passwordhaveibeenpwned.scotteuser.yml.

## Is my password sent to Have I Been Pwned?

No, this uses API Version 2. The process is as follows:

1. Hash the password
2. Take just the first 5 characters of the hash and make a request to Have I Been Pwned.
3. Have I Been Pwned returns between 300 and 600 possible hashes
4. The extension checks for an exact match in the possible matches.
5. Troy Hunt explains the process in his documentation here.

## Is my email sent to Have I Been Pwned?

No, the email is never sent: only the hash of the password as described above.

## Note

I would appreciate feedback and suggestions to improve this extension as Bolt is new territory for me. Go easy :)

## Disclaimer

This extension is provided 'as is'. You are ultimately responsible for your site security. This extension has been built to assist in providing additional security.

More Info

26th Jun 2018
Latest Version(s)
Last Update
  • 1st July 2018 (Development)

Changelog & Releases

Loading releases …