Disallow Pwned Password

Screenshots

Disallow WordPress and WooCommerce users using pwned passwords. Goal Spoiler Alert: User passwords never leave your server, not even in hashed form. Although reusing passwords is solely users’ fault but when evil attackers brute forced users’ passwords, and stole all their personal information or spent users’ hard earn money through your site. Those lazy users blame you, the site owner/developer. When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,… Passwords obtained from previous breach corpuses — NIST Digital Identity Guidelines This plugin’s solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database. Usage Activate and forget. This plugin intercepts when: creating new users on /wp-admin/user-new.php changing other users’ passwords on /wp-admin/user-edit.php changing your password on /wp-admin/profile.php new user registration on /wp-login.php?action=rp Additional interceptions if WooCommerce is installed: WC_Form_Handler::process_reset_password on Home » My account » Lost password WC_Form_Handler::save_account_details on Home » My account » Account details WC_Form_Handler::process_registration on Home » My account WC_Checkout::validate_checkout on Home » Checkout Explain It Like I’m Five Troy Hunt, a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com Whenever WordPress / WooCommerce users attempt to change their passwords, this plugin hashes the user password Take the first 5 characters from the hash Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters Check how many times the user password appears on the have I been pwned database Disallow the password change if it has been pwned Users aged older than five could learn more from: Have I Been Pwned’s FAQs Why SHA-1 was chosen in the Pwned Passwords I’ve [Troy Hunt] Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download Validating Leaked Passwords with k-Anonymity For Developers Fork the plugin on GitHub.