WARNING: The module is currently being ported and may change.
Please test on a staging server before deploying to production.
Have I Been Pwned?
Although, this module is a port of the Drupal 7 password_haveibeenpwned module it uses the name of the Drupal 8/9/10 module pwned_passwords because the name is shorter and makes the code easier to read and with hope to preserve future feature parity.
The module provides additional checks/validation for user passwords with Troy Hunt's excellent service Have I Been Pwned for email addresses and Have I Been Pwned Passwords for passwords. For further background see Wikipedia HIBP.
Specifically, the module uses the HIBP Pwned Passwords V3 API to check passwords with only the first five characters of the hash over https.
This port attempts to preserve behavior from the Drupal 7 module while adapting hook signatures and APIs for Backdrop and uses backdrop_http_request() if available, otherwise falls back to cURL (not currently implemented).
The module provides configurable options for user login, registration, and password change to: block, warn, or ignore the use of compromised ("pwned") passwords
By default pwned passwords are set to warn on user login and blocked on registration or password change. These are the same defaults used by the Drupal 7 module.
There is also a configurable threshold based on the count for each pwned password returned by the API; higher counts indicate more commonly breached passwords. The default threshold is 1 unlike with Drupal 7 where it is 10.
- It is not necessary to register for an API at the HIBP website.
- PHP 7.4 or above (Not tested with lower versions).
-
Install this module using the official Backdrop CMS instructions at https://docs.backdropcms.org/documentation/extend-with-modules.
-
Visit the configuration page under Administration > Configuration > User accounts > Pwned Passwords (admin/config/people/pwned_passwords) and enter the required information.
Additional documentation is located in the Wiki: https://github.com/backdrop-contrib/pwned_passwords/wiki/Documentation.
Bugs and Feature Requests should be reported in the Issue Queue: https://github.com/backdrop-contrib/pwned_passwords/issues.
- izmeez
- Seeking additional maintainers
- Thanks to Koen Verheyen for the original implementation.
- Created for Drupal 7 by mcdruid
- Ported to Backdrop CMS by izmeez
This project is GPL v2 software. See the LICENSE.txt file in this directory for complete text.