kisscool/simple-haveibeenpwned

A very simple class to check your password safety against 'Have I Been Pwned' API.

Maintainers

Details

github.com/kisscool-fr/simple-haveibeenpwned

Homepage

Source

Issues

Installs: 206

Dependents: 0

Suggesters: 0

Security: 0

Stars: 1

Watchers: 2

Forks: 0

Open Issues: 0

v1.0.4 2019-07-22 12:42 UTC

Requires

Requires (Dev)

MIT 66f8b536da0c0b13763f5e87f5fc61f57cebec75

  • KisSCoOl <kisscool.woop@kisscool.net>

This package is auto-updated.

Last update: 2024-04-22 23:25:58 UTC

README

Build Status

SimpleHIBP

SimpleHIBP is a very simple way to check your password safety against Troy Hunt's Have I Been Pwned range password API.

Usage

As the idea of this is to keep it simple, you'll just need to call isPasswordSafe() static method, passing it the password you want to test as the only argument, and get a boolean value as the return:

  • true if the submited password hasn't been seen in a leak
  • false if has been seen

Example

use HIBP\SimpleHIBP;

$password = "someth1ng";
if (SimpleHIBP::isPasswordSafe($password)) {
  echo "My password is safe :)";
} else {
  echo "My password is unsafe :(";
}

Security

  • It's obvious, but your data (password, hashed password) are never stored
  • So, there is no cache at all (see Limitation)

Limitation

To keep it simple, there is no caching at all. If you plan to integrate it on a high loaded website, please add some form of caching. Something like that should do the job (for security reason, I highly recommend you not to use the password as a data for the cache key):

use HIBP\SimpleHIBP;

$password = "someth1ng";
$key = "someUniqueUserData";
if (false === ($result = $cache->get($key))) {
  $result = SimpleHIBP::isPasswordSafe($password);
  $cache->set($key, $result);
}

Credits

Big thanks to Troy Hunt for his amazing work on Have I Been Pwned.