Verify hashed passwords against HIBP

Installs: 3 839

Dependents: 1

Suggesters: 0

Security: 0

Stars: 1

Watchers: 4

Forks: 0

Open Issues: 0


v0.3.0 2023-11-30 23:10 UTC

This package is auto-updated.

Last update: 2024-03-26 04:55:24 UTC


This module allows verification of hashed passwords against the HIBP corpus.

For more information on how the Pwned Password API works, including how compromised password hashes are sent to the API, please read: https://haveibeenpwned.com/API/v3#PwnedPasswords

This module is under active development and should not be considered production-ready just yet

We welcome testing and feedback via the Github issue tracker


This module uses MFlor/pwned to interface with the Password and Breach API.

In addition to password checking it can optionally check for breaches linked to a supplied email address, which requires an API key to be purchased from haveibeenpwned

From a Silverstripe perspective, the module:

  • checks for pwned passwords and prohibits their use via a PasswordValidator extension
  • flag relevant records
  • sends digest emails containing volume of pwned passwords


The module comes with a default configuration that should get you up and running.

Read the configuration documentation for configuration instructions

Read the email documentation for information about email and templates






We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.

Please review the code of conduct prior to opening a new issue.

Development and contribution

If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.

Please review the code of conduct prior to completing a pull request.