Skip to content
For checking user passwords against "Have I Been Pwned" local password list.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


For checking user passwords against "Have I Been Pwned" local password list.


PHP 7.0


Create a domain like on your webserver and secure it with HTTPS.
Download the password list via torrent or direct link from $ wget

Extraction will take some time: $ nohup 7z e pwned-passwords-ordered-by-count.7z &

After extracting you can delete the pwned-passwords-ordered-by-count.7z with: $ rm pwned-passwords-ordered-by-count.7z

Now create the SQlite3 database files: $ nohup php pwnedCreateDBs new pwned-passwords-ordered-by-count.txt secretDatabasePassword.db secretDatabaseCustomPassword.db & secretDatabaseCustomPassword.db is needed to be specified. You can delete it afterwards if you set $pwnedTrackPasswords to False within the pwnedConf.php.

This also takes a long time, have some more coffee and go to lunch. When finished you could delete the pwned-passwords-ordered-by-count.txt file, create a dummy index.html and edit the pwnedconf.php: $ rm pwned-passwords-ordered-by-count.txt $ touch index.html $ joe pwnedConf.php

Now you can adapt pwnedUserAuth.php for custom user access.


With $pwnedAllowGet = True in pwnedConf.php you can test it easly by calling the following URLs. First URL is pwned. Second URL is not pwned. Please use $pwnedAllowGet = True only for testing!

Response: {"error":false,"msg":"","pwned":1}

Response: {"error":false,"msg":"","pwned":0}


Distributed under BSD license. (c) by 0bj UG (haftungsbeschränkt)


[1] Have I Been Pwned: [2] Project german homepage: [3] Project english homepage:

You can’t perform that action at this time.