12/03
2018
Wallogit.com
2017 © Pedro Peláez
library magento2-module-pwned-validator
Add 'Have I been pwned?' validator to Magento 2.
timpack/magento2-module-pwned-validator
Add 'Have I been pwned?' validator to Magento 2.
- Monday, March 12, 2018
- by tdegroot96
- Repository
- 1 Watchers
- 3 Stars
- 0 Installations
- PHP
- 0 Dependents
- 0 Suggesters
- 0 Forks
- 0 Open issues
- 2 Versions
- 0 % Grown
The README.md
Magento 2 Have I Been Pwned Validator
This module adds a validator which checks if the submitted password is found in public databases using the Have I Been Pwned? service., (*1)
Security
There are no security drawbacks, because there are no actual passwords being submitted over the internet. This is possible by hashing the password using the SHA-1 algorithm and request all hashes in the Have I been Pwned? databases starting with the first 5 characters of the password hash. This resultset contains a list of hashes and the amount of occurrences., (*2)
This way the password stays inside the Magento process., (*3)
Installation
composer require timpack/magento2-module-pwned-validator bin/magento setup:upgrade
Configuration
You can configure the threshold of the validator, at which count of occurrences in the resultset the password should be considered insecure/invalid. This configuration can be found at:, (*4)
Stores -> Configuration -> Customer -> Customer Configuration -> Pwned Validator -> Minimum amount of matches, (*5)
Credits
This module was heavily inspired by Valorin's Pwned validator written for Laravel: valorin/pwned-validator, (*6)