Download the PHP package valorin/pwned-validator without Composer
On this page you can find all versions of the php package valorin/pwned-validator. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download valorin/pwned-validator
More information about valorin/pwned-validator
Files in valorin/pwned-validator
Package pwned-validator
Short Description Super simple Laravel Validator for checking password via the Pwned Passwords service of Have I Been Pwned
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package pwned-validator
Pwned Passwords Validator for Laravel
Laravel includes an official Pwned Passwords validator via the Password::uncompromised() validation rule, so I recommend checking that out instead: https://laravel.com/docs/10.x/validation#validating-passwords
The Pwned Password validator checks the user's submitted password (in a registration or password change form) with the awesome HIBP Pwned Passwords service to see if it is a known pwned password. If the password has been pwned, it will fail validation, preventing the user from using that password in your app.
Pwned Passwords are half a billion real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.
This uses the ranged search feature of the Pwned Passwords API, which uses k-anonymity to significantly reduce the risk of any information leakage when accessing the API. For most systems this should be more than secure enough, although you should definitely decide for yourself if it's suitable for your app.
Please make sure to check out the blog post by Troy Hunt, where he explains how the service works: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/.
Troy worked with Cloudflare on this service, and they have an in depth technical analysis on how it works and the security implications: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/.
Ultimately, it's up to you to decide if it's safe for your app or not.
Installation
Install the package using Composer:
Laravel's service provider discovery will automatically configure the Pwned service provider for you.
Add the validation message to your validation lang file:
For each language add a validation message to validation.php like below
Using the pwned validator
After installation, the pwned validator will be available for use directly in your validation rules.
Within the context of a registration form, it would look like this:
Using the Rule Object
Alternatively, you can use the Valorin\Pwned\Pwned Validation Rule Object
instead of the pwned alias if you prefer:
Validation message
You will need to assign your own validation message within the resources/lang/*/validation.php file(s).
Both the Rule object and the pwned validator alias refer to the validation string validation.pwned.
I haven't set a default language string as it is important you get the language right for your intended users.
In some systems a message like Your password has been pwned! Please use a new one! is suitable, while in other systems
you'd be better with something a lot longer:
Your password is insufficiently secure as it has been found in known password breaches, please choose a new one. Need help?
Thanks to kanalumaddela, you can use :min in the message to indicate the minimum number of times found set on the validator.
Your password is insufficiently secure as it has been found at least :min times in known password breaches, please choose a new one.
Limiting by the number of times the password was pwned
You can also limit rejected passwords to those that have been pwned a minimum number of times.
For example, password has been pwned 3,303,003 times, however P@ssword! has only been pwned 118 times.
If we wanted to block password but not P@ssword!, we can specify the minimum number as 150 like this:
or using the Rule object:
FAQs
Q: How secure is this?
A: Please check the above linked blog posts by Troy Hunt and Cloudflare, as they will answer your question and help you decide if it's safe enough for you.
Q: Do you do any caching?
A: Yep! Each prefix query is cached for a week, to prevent constant API requests if the same prefix is checked multiple times.
Q: Where are the tests?
A: To properly test this code, we need to hit the web service. I don't want to automate that, to avoid abusing this fantastic service. Instead, since it is an incredibly simplistic validator, I've opted to manually test it for now.
All versions of pwned-validator with dependencies
ext-curl Version *
illuminate/support Version ^5.5||^6.0||^7.0||^8.0|^9.0|^10.0||^11.0