Download the PHP package itinerisltd/disallow-pwned-passwords without Composer

On this page you can find all versions of the php package itinerisltd/disallow-pwned-passwords. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package disallow-pwned-passwords

Disallow Pwned Password

CircleCI Scrutinizer Code Quality GitHub License Hire Itineris

Packagist: Packagist Version PHP from Packagist Packagist Downloads

WordPress: Wordpress Plugin Version Wordpress Plugin: Required WP Version Wordpress Plugin: Tested WP Version Wordpress Plugin Rating WordPress Plugin Downloads

Goal

Spoiler Alert: User passwords never leave your server, not even in hashed form.

Although reusing passwords is solely users' fault but when evil attackers brute forced users' passwords, and stole all their personal information or spent users' hard earn money through your site. Those lazy users blame you, the site owner/developer.

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,...

  • Passwords obtained from previous breach corpuses

-- NIST Digital Identity Guidelines

This plugin's solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.

Explain It Like I'm Five

Users aged older than five could learn more from:

Minimum Requirements

Installation

Composer (Recommended)

WP CLI

Classic

Download the plugin zip file from https://wordpress.org/plugins/disallow-pwned-passwords/ Then, follow https://codex.wordpress.org/Managing_Plugins#Installing_Plugins

Usage

Activate and forget.

This plugin intercepts when:

Additional interceptions if WooCommerce is installed:

Performance

By default, this plugin caches Have I Been Pwned API responses for 1 week using WP Object Cache.

If you don't have a persistent cache plugin, it has no effect and doesn't cache anything.

In rare cases, persistent cache plugins might not be compatible, you can disable by:

FAQ

Did you just send all the passwords to someone else?

No. User passwords never leave your server, not even in hashed form.

How do you compare user passwords with the 6,493,641,194 pwned ones?

Curious users can learn more from:

Paranoia users should check the plugin implementation.

What to do if I don't trust haveibeenpwned.com?

Troy Hunt is a well-kown security expert. You should trust him more than me (the plugin author). Anyways, you can replace the default API client with yours:

This plugin uses league/container. Learn more from its documents.

What to do if I don't trust the plugin author?

Good question! You shouldn't blindly trust any random security guide/plugin from the scary internet - including this one!

Review the plugin implementation.

I have installed this plugin. Does it mean my WordPress site is unhackable?

No website is unhackable.

To have a secure WordPress site, you have to keep all these up-to-date:

Strongly recommended:

Can strong passwords been pwned?

Yes. Example:

How to disable WooCommerce password strength meter?

For testing only, use at your own risk!

Will you add support for older PHP versions?

Never! This plugin will only works on actively supported PHP versions.

Don't use it on end of life or security fixes only PHP versions.

Note: Current version supports PHP 7.0 because wordpress.org svn pre-commit hook rejects PHP 7.1+ syntax. However, you should not use PHP 7.0 because it has reached end of life since 10 January 2019.

It looks awesome. Where can I find some more goodies like this?

Besides wp.org, where can I give a :star::star::star::star::star: review?

Thanks! Glad you like it. It's important to let my boss knows somebody is using this project. Please consider:

Alternatives

Testing

Pull requests without tests will not be accepted!

Feedback

Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change Log

Please see CHANGELOG for more information on what has changed recently.

Security

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

Credits

Disallow Pwned Password is a Itineris Limited project created by Tang Rufus.

Full list of contributors can be found here.

Special thanks to Troy Hunt whose Have I been pwned database makes this plugin possible. Also, the k-Anonymity validation is an awesome work of Junade Ali from Cloudflare.

License

Disallow Pwned Password is licensed under the GPLv2 (or later) from the Free Software Foundation. Please see License File for more information.


All versions of disallow-pwned-passwords with dependencies

PHP Build Version
Package Version
Requires php Version ^7.0
league/container Version ^3.2
typisttech/wp-contained-hook Version dev-seven-zero
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package itinerisltd/disallow-pwned-passwords contains the following files

Loading the files please wait ....