Protect your user's passwords.
What is PassProtect?
PassProtect is a developer library created and maintained by Randall Degges that you can drop into any web page which dramatically improves the security of users accessing your website.
PassProtect works by binding itself to all
input elements on the page of type
password. Whenever a user enters a new value into one of these
input elements, PassProtect will check the user's email / password against
the fabulous Have I Been Pwned? API service to see whether or not
the user's email OR password has been breached in the past.
Finally, if appropriate, PassProtect will inform the user that their credentials were previously breached, give them some useful information, and ask them to update their password as soon as they can to reduce the risk that their account will be compromised.
PassProtect is a new, experimental way to proactively notify users about data breaches and help casual web users play a more active role in protecting their online accounts.
We believe that by informing and guiding users to reset their credentials when necessary, we can all help make the web a safer place <3
How to Use PassProtect
To use PassProtect in your website, simply copy the following script tag anywhere on your page. Don't worry about where you put it: anywhere is fine. It will run once the page has loaded and will initialize itself without any configuration necessary.
<html> <head> <!-- ... --> </head> <body> <!-- ... --> <script src="https://cdn.passprotect.io/passprotect.min.js"></script> </body> </html>
You'll ideally want to include the PassProtect script tag on every page that
input element. There is almost no performance penalty for
including PassProtect on all pages of your site -- if a page doesn't contain any
input elements, PassProtect won't do anything and will immediately exit.
To keep things simple, our recommended approach is to just include the PassProtect script on every page of your site.
Is PassProtect Secure?
PassProtect never sends or stores password information over the network. It uses k-Anonymity to safely communicate your sensitive data over the internet without risk.
PassProtect is also completely free, open source, and maintained by Randall Degges. If you want to audit the source, or have ideas about how to do things better, please open a GitHub issue or email me directly.
1.0.0: May 24, 2018
- Removing email breach detection functionality.
0.2.1: May 22, 2018
- Improving form binding for posterity.
0.2.0: May 22, 2018
- Removing redundant
- Adding Firefox support.
0.1.0: May 19, 2018
- First release! Yey.