Check if a user password is found in the Have I Been Pwnd database.
This module is not a replacement for two factor authentication.
Users are actively locked out if their password is found to be pwnd and forced to reset their password.
Although it adds to the user security te enforce unique passwords, this module will not prevent any password leaks like the ones used by HaveIBeenPwnd.
This module checks on password change and login, if the SHA1 of the password appears in the Have I Been Pwnd database.
There is never a full password transmitted to HaveIBeenPwnd, only the first 5 characters of a SHA1 of the password, the response from HaveIBeenPwnd is then compared locally.
Given the nature of HaveIBeenPwnd, even if a password is intercepted (the connection is HTTPS and Troy Hunt is not the easiest when it comes to security), the password has already been out in the wild, so this scenario is a very unlikely one to cause more breaches.
Only a count of the amount of times the password shows in the database is collected, next to which known breaches contain the users Email or Username. This information about the password and the email are unrelated. HaveIBeenPwnd does not provide a relation between the two. On purpose.
composer require firesphere/haveibeenpwnd
--- Name: MyPwnConfig after: HaveIBeenPwndConfig --- Firesphere\HaveIBeenPwnd\Services\HaveIBeenPwndService: allow_pwnd: false save_pwnd: true --- Only: environment: dev --- Firesphere\HaveIBeenPwnd\Services\HaveIBeenPwndService: allow_pwnd: true
allow_pwnd If set to true, passwords that appear in the Have I been Pwnd database will be allowed
save_pwnd If set to true, all the breaches in which the user's username or email address appears
Add the following to either of your config yml files. (Suggested is using an
MyVendor\MyNameSpace\MyPasswordValidator: extensions: - Firesphere\HaveIBeenPwnd\Extensions\PasswordValidatorExtension
Replacing the vendor\namespace\validator with your own Validator namespace and classname
To not make engineers life impossible and allow for using pwnd passwords on local environments in
by default, the Pwnd service is turned off in
This module is published under BSD 3-clause license, although these are not in the actual classes, the license does apply:
Copyright (c) 2012-NOW(), Simon "Sphere" Erkelens
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Pictured below is a cow, just for you.
/( ,,,,, )\ _\,;;;;;;;,/_ .-"; ;;;;;;;;; ;"-. '.__/`_ / \ _`\__.' | (')| |(') | | .--' '--. | |/ o o \| | | / \ _..=.._ / \ /:. '._____.' \ ;::' / \ .; | _|_ _|_ ::| .-| '==o==' '|-. / | . / \ | \ | | ::| | | .| | ( ') (. )::| |: | |; U U ;|:: | `| |' | | \ U U / |' | | ##V| |_/`"""`\_| |V## ##V## ##V##