Laravel validator rule that checks if a password has been pwned in any public data breaches. This uses Troy Hunt's Pwned Password API https://haveibeenpwned.com/API/v2 to check for pwned passwords.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.gitignore
LICENSE
composer.json
readme.md

readme.md

Laravel Pwned Password Validator

Adds a Laravel validator rule that checks if a password has been pwned in any public data breaches. This uses Troy Hunt's Pwned Password API https://haveibeenpwned.com/API/v2 to check for pwned passwords.

Installation

Using composer:

composer require "payfast/laravel-validate-pwned-password":"^1.0"

For old verions of Laravel (<5.5) and Lumen you may need to manually register the service provider. Add in bootstrap/app.php

    $app->register('PayFast\\Providers\\PwnedPasswordServiceProvider');

Usage

When using Laravel Validation you can now add a new rule pwnedpassword to any field that will contain a password. This rule will fail the input if the supplied value matches a known pwned password.

Example:

return Validator::make($data, [
    'password' => 'required|string|min:8|pwnedpassword|confirmed',
]);

Customization

To change the error message add a language string to resources/lang/en/validation.php

    'pwnedpassword' => 'This :attribute is not secure. It appears :count times in the Pwned Passwords database of security breaches. For more information: https://haveibeenpwned.com/Passwords'