timpack/magento2-module-pwned-validator

Add 'Have I been pwned?' validator to Magento 2.

Maintainers

Details

github.com/tdgroot/magento2-module-pwned-validator

Source

Issues

Installs: 0

Dependents: 0

Suggesters: 0

Security: 0

Stars: 7

Watchers: 2

Forks: 2

Open Issues: 0

1.1.0 2020-05-08 09:36 UTC

Requires

  • magento/framework: ^101.0
  • magento/module-customer: ^101.0

MIT 6d52d3e071c16857a29ab6bcb2fa6480ae169ae4

  • Timon de Groot <tdegroot96.woop@gmail.com>

This package is auto-updated.

Last update: 2024-04-18 05:33:28 UTC

README

This module adds a validator which checks if the submitted password is found in public databases using the Have I Been Pwned? service.

Security

There are no security drawbacks, because there are no actual passwords being submitted over the internet. This is possible by hashing the password using the SHA-1 algorithm and request all hashes in the Have I been Pwned? databases starting with the first 5 characters of the password hash. This resultset contains a list of hashes and the amount of occurrences.

This way the password stays inside the Magento process.

Installation

composer require timpack/magento2-module-pwned-validator
bin/magento setup:upgrade

Configuration

You can configure the threshold of the validator, at which count of occurrences in the resultset the password should be considered insecure/invalid. This configuration can be found at:

Stores -> Configuration -> Customer -> Customer Configuration -> Pwned Validator -> Minimum amount of matches

Credits

This module was heavily inspired by Valorin's Pwned validator written for Laravel: valorin/pwned-validator