simplygoodwork/craft-pwny

Validate user passwords against the Pwned Passwords API

Maintainers

Package info

github.com/simplygoodwork/craft-pwny

Documentation

Type:craft-plugin

pkg:composer/simplygoodwork/craft-pwny

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

1.0.2 2025-05-16 08:34 UTC

Requires

proprietary 5a714b2ee8df2688b7a752edd62d858fd85d6ec1

cmsuserpasswordCraftcraftcmscraft-plugincybersecurity

This package is auto-updated.

Last update: 2026-03-05 10:19:27 UTC

README

Enhance your site's security by ensuring users select stronger passwords than password. The plugin employs the k-Anonymity method to validate passwords against the Pwned Passwords API without compromising user privacy by revealing passwords to an external service.

This plugin was inspired by the Cloudflare blog post Validating Leaked Passwords with k-Anonymity and this one by Troy Hunt creator of the Have I Been Pwnd service.

Error message

Requirements

This plugin requires Craft CMS 5.3.0 or later.

The plugin needs to make a call to the free Have I Been Pwnd API at the address https://api.pwnedpasswords.com/ in case you need to whitelist this on your host.

Installation

To install the plugin, follow these instructions:

composer require "simplygoodwork/craft-pwny:^1.0.0" -w && php craft plugin/install pwny

for DDEV users:

ddev composer require "simplygoodwork/craft-pwny:^1.0.0" -w && ddev craft plugin/install pwny

Settings

You can toggle the service, restrict to just users with CP access and customise the error message.

Settings

If you want to toggle the plugin on/off using environment variables, you could create a config/pwny.php file to override this setting. The example below uses PWNY_ENABLED in .env but defaults to true (on) if the variable can't be found:

<?php

use craft\helpers\App;

return [
	'enabled' => App::env('PWNY_ENABLED') ? App::env('PWNY_ENABLED') : true,
];

Brought to you by Good Work.