Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Protect your user's passwords.

PassProtect demo

What is PassProtect?

PassProtect is a developer library created and maintained by Randall Degges that you can drop into any web page which dramatically improves the security of users accessing your website.

PassProtect works by binding itself to all input elements on the page of type email or password. Whenever a user enters a new value into one of these input elements, PassProtect will check the user's email / password against the fabulous Have I Been Pwned? API service to see whether or not the user's email OR password has been breached in the past.

Finally, if appropriate, PassProtect will inform the user that their credentials were previously breached, give them some useful information, and ask them to update their password as soon as they can to reduce the risk that their account will be compromised.

PassProtect is a new, experimental way to proactively notify users about data breaches and help casual web users play a more active role in protecting their online accounts.

We believe that by informing and guiding users to reset their credentials when necessary, we can all help make the web a safer place <3

How to Use PassProtect

To use PassProtect in your website, simply copy the following script tag anywhere on your page. Don't worry about where you put it: anywhere is fine. It will run once the page has loaded and will initialize itself without any configuration necessary.

    <!-- ... -->
    <!-- ... -->
    <script src=""></script>

You'll ideally want to include the PassProtect script tag on every page that contains an input element. There is almost no performance penalty for including PassProtect on all pages of your site -- if a page doesn't contain any input elements, PassProtect won't do anything and will immediately exit.

To keep things simple, our recommended approach is to just include the PassProtect script on every page of your site.

Is PassProtect Secure?


PassProtect never sends or stores password information over the network. It uses k-Anonymity to safely communicate your sensitive data over the internet without risk.

PassProtect is also completely free, open source, and maintained by Randall Degges. If you want to audit the source, or have ideas about how to do things better, please open a GitHub issue or email me directly.


1.0.0: May 24, 2018

  • Removing email breach detection functionality.

0.2.1: May 22, 2018

  • Improving form binding for posterity.

0.2.0: May 22, 2018

  • Removing redundant npm publish script.
  • Adding Firefox support.

0.1.0: May 19, 2018

  • First release! Yey.
You can’t perform that action at this time.