PwnedPass is a client side js module to quickly check if a password has been compromised in past data breaches. Protect your users and boost your apps' security by warning against weak and insecure passwords.
Its small footprint and ease of use allows you to quickly and securely check a password against a large set of known exposed passwords from past data breaches. Exposed password data provided by https://haveibeenpwned.com/Passwords.
View live demo on jsfiddle.
The check function accepts a plaintext password or an SHA-1 hash as its first parameter. A plaintext password will be hashed. The second parameter is a callback for when a match is found.
PwnedPass.check(password, function(){
console.log("this password was found in the haveibeenpwned password data");
});Optionally, the second parameter can be an object with two callbacks: Pwned and Clean.
// multiple callbacks
PwnedPass.check(password, {
Pwned: function(){ console.log("this password was found in the haveibeenpwned password data"); },
Clean: function(){ console.log("this password is clean"); },
});If a plaintext password resembles an SHA-1 hash, then it wont be hashed automatically. You need to specify the ForceHash value in the second parameter object.
// force sha1 hashing of input
PwnedPass.check(password, {
ForceHash: true,
Pwned: function(){ console.log("this password was found in the haveibeenpwned password data"); },
});The SHA-1 hashing relies on crypto.subtle (Specification status: Recommended). See its browser compatibility. If this does not suit your needs, you can use another solution to perform the hash, then provide PwnedPass with an SHA-1 hash instead of a plaintext password.
TextEncoder is also used for performing the SHA-1 hashing. See browser compatibility. As of this writing, it is not broadly supported, but there is a polyfill here: Polyfill for the Encoding Living Standard's API.
Some other JS features used (click for browser compatibility): Promises, async/await
If you have feature requests or bug reports, feel free to help out by sending pull requests or by creating new issues.
PwnedPass is distributed under the terms and conditions of the MIT license. The "Have I Been Pwned?" Data and API is licensed under a Creative Commons Attribution 4.0 International License.