Download the PHP package bakerkretzmar/laravel-pwned-password-rule without Composer
On this page you can find all versions of the php package bakerkretzmar/laravel-pwned-password-rule. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download bakerkretzmar/laravel-pwned-password-rule
More information about bakerkretzmar/laravel-pwned-password-rule
Files in bakerkretzmar/laravel-pwned-password-rule
Package laravel-pwned-password-rule
Short Description A Laravel validation rule to check passwords against Have I Been Pwned
License MIT
Homepage https://github.com/bakerkretzmar/laravel-pwned-password-rule
Informations about the package laravel-pwned-password-rule
Laravel Pwned Password Rule
Validate passwords against the Have I Been Pwned database.
Have I Been Pwned is a service that lets you check if any of your accounts have been compromised in a data breach. In addition to their website and account search functionality, they operate a Pwned Passwords tool that allows securely and anonymously searching just for passwords found in breaches. Under the hood, this validation rule queries the Pwned Passwords API and checks if and how often the value being validated appears in HIBP's breach database.
This package does NOT share your users’ passwords with third parties. Values being validated using this rule are hashed in your application, and the first five characters of the hash are sent to the Pwned Password API. The API returns all password hash suffixes matching these five characters, and back in your application this rule determines which hash matches the value you sent. This package also supports response padding to further obscure the API's responses to hash queries.
For more information please read the launch announcement of Pwned Passwords, Introducing 306 Million Freely Downloadable Pwned Passwords, the V2 announcement, I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download, and the Have I Been Pwned API documentation.
Installation
You can install the package with Composer:
Usage
Use this rule like any other Laravel validation rule:
You can also use the rule's string alias:
By default, the rule will fail any value that has ever appeared in Have I Been Pwned's breach database, which contains over 500,000,000 passwords. To allow passwords that have been breached but don't appear in the database often, you can pass an integer to the rule as its first argument. Values appearing that many times or fewer will then pass validation.
Pwned Passwords also offers additional security with optional response padding, which pads responses with fake hashes to a length of 800–1,000 lines, to defend against attacks that inspect the size of the response to determine how many matches the API returned. You can enable response padding by passing true
as the second argument to this rule.
Security
If you find any security related issues with this package, please email [email protected] instead of submitting an issue.
Credits
- Troy Hunt created and maintains Have I Been Pwned
License
This package is release under the MIT License. See LICENSE.md.
All versions of laravel-pwned-password-rule with dependencies
guzzlehttp/guzzle Version ^7.0
illuminate/http Version ^7.0
illuminate/support Version ^7.0