Enhance your site's security by ensuring users select stronger passwords than password
. The plugin employs the k-Anonymity method to validate passwords against the Pwned Passwords API without compromising user privacy by revealing passwords to an external service.
This plugin was inspired by the Cloudflare blog post Validating Leaked Passwords with k-Anonymity and this one by Troy Hunt creator of the Have I Been Pwnd service.
This plugin requires Craft CMS 5.3.0
or later.
The plugin needs to make a call to the free Have I Been Pwnd API at the address https://api.pwnedpasswords.com/
in case you need to whitelist this on your host.
To install the plugin, follow these instructions:
composer require "simplygoodwork/craft-pwny:^1.0.0" -w && php craft plugin/install pwny
for DDEV users:
ddev composer require "simplygoodwork/craft-pwny:^1.0.0" -w && ddev craft plugin/install pwny
You can toggle the service, restrict to just users with CP access and customise the error message.
If you want to toggle the plugin on/off using environment variables, you could create a config/pwny.php
file to override this setting.
The example below uses PWNY_ENABLED
in .env
but defaults to true
(on) if the variable can't be found:
<?php
use craft\helpers\App;
return [
'enabled' => App::env('PWNY_ENABLED') ? App::env('PWNY_ENABLED') : true,
];
Brought to you by Good Work.