Laravel Pwned Password Validator
Adds a Laravel validator rule that checks if a password has been pwned in any public data breaches. This uses Troy Hunt's Pwned Password API https://haveibeenpwned.com/API/v2 to check for pwned passwords.
Installation
Using composer:
composer require "payfast/laravel-validate-pwned-password":"^1.0"
For old verions of Laravel (<5.5) and Lumen you may need to manually register the service provider. Add in bootstrap/app.php
$app->register('PayFast\\Providers\\PwnedPasswordServiceProvider');
Usage
When using Laravel Validation you can now add a new rule pwnedpassword
to any field that will contain a password. This rule will fail the input if the supplied value matches a known pwned password.
Example:
return Validator::make($data, [
'password' => 'required|string|min:8|pwnedpassword|confirmed',
]);
Customization
To change the error message add a language string to resources/lang/en/validation.php
'pwnedpassword' => 'This :attribute is not secure. It appears :count times in the Pwned Passwords database of security breaches. For more information: https://haveibeenpwned.com/Passwords'