Module Description
This module uses the Have I Been Pwned - HIBP "Passwords" API v2 to validate passwords entered by a user.
Currently it prevents the user to select any password present in the database, more options will come.
Why this module?
As Troy Hunt explains in this article, it's a good idea to prevent people using already publicly known passwords. In fact it's not only him, but also NIST has a special publication on the topic "Digital Identity Guidelines", in which they clearly stating that you shouldn't be allowing people to use a password that's been breached before, among other types of passwords they shouldn't be using.
This module will do exactly that, prevent users from compromising themselves (and your website) by choosing a known password.
Anonymity
I was skeptical about Troy's service on Version 1, because even if you sent the sha1 hash and not the plain text password, you were still sending the complete information about it. Now version 2 of the API is out and uses an implementation of k-anonymity, which allows to retain the secrecy of your password, even the hashed one. In fact only 5 characters of the whole hash are sent to the service, from which it's basically impossible to discover the original plaintext password, not even get close to it. In the light of this new service I decided to bring this to Drupal to help spread the adoption and even more help our users to chose better/safer passwords. You can read more about this service and k-anonymity in Troy's blog post and the more technical one on Cloudflare blog.
Drupal 7?
If you need a Drupal 7 version look over at Password Have I Been Pwned?.
Drupal 9?
This module is made compatible with Drupal 9.
Currently it prevents the user to select any password present in the database, more options will come.
Why this module?
As Troy Hunt explains in this article, it's a good idea to prevent people using already publicly known passwords. In fact it's not only him, but also NIST has a special publication on the topic "Digital Identity Guidelines", in which they clearly stating that you shouldn't be allowing people to use a password that's been breached before, among other types of passwords they shouldn't be using.
This module will do exactly that, prevent users from compromising themselves (and your website) by choosing a known password.
Anonymity
I was skeptical about Troy's service on Version 1, because even if you sent the sha1 hash and not the plain text password, you were still sending the complete information about it. Now version 2 of the API is out and uses an implementation of k-anonymity, which allows to retain the secrecy of your password, even the hashed one. In fact only 5 characters of the whole hash are sent to the service, from which it's basically impossible to discover the original plaintext password, not even get close to it. In the light of this new service I decided to bring this to Drupal to help spread the adoption and even more help our users to chose better/safer passwords. You can read more about this service and k-anonymity in Troy's blog post and the more technical one on Cloudflare blog.
Drupal 7?
If you need a Drupal 7 version look over at Password Have I Been Pwned?.
Drupal 9?
This module is made compatible with Drupal 9.
Module Link
Project Usage
270
Security Covered
Covered By Security Advisory
Version Available
Production
Module Summary
This module aims to prevent users from selecting compromised passwords by utilizing the Have I Been Pwned - HIBP 'Passwords' API v2 for validation.
Data Name
pwned_passwords
OPENAI CHATBOT
OPENAI CHATBOT
