PHPackages reflar/pwned-passwords - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. reflar/pwned-passwords Abandoned → [fof/pwned-passwords](/?search=fof%2Fpwned-passwords)Flarum-extension[Security](/categories/security) reflar/pwned-passwords ====================== Check passwords against the Have I Been Pwned password database 1.1.1(2y ago)7738MITPHPCI passing Since Jan 7Pushed 4w ago3 watchersCompare [ Source](https://github.com/FriendsOfFlarum/pwned-passwords)[ Packagist](https://packagist.org/packages/reflar/pwned-passwords)[ Docs](https://friendsofflarum.org/)[ Fund](https://opencollective.com/fof/donate)[ RSS](/packages/reflar-pwned-passwords/feed)WikiDiscussions 2.x Synced today READMEChangelog (10)Dependencies (3)Versions (23)Used By (0) Pwned Passwords by FriendsOfFlarum ================================== [](#pwned-passwords-by-friendsofflarum) [![License](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667) [![Latest Stable Version](https://camo.githubusercontent.com/b6ed726c2aa4a503d01806bed28e2c1b69473523a10f2152913b84b06dde2cae/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f666f662f70776e65642d70617373776f7264732e737667)](https://packagist.org/packages/fof/pwned-passwords) [![OpenCollective](https://camo.githubusercontent.com/1903c197bb0307e60d6328653532b8a6b9890b898fbc92e314ab39d699491e74/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6f70656e636f6c6c6563746976652d666f662d626c75652e737667)](https://opencollective.com/fof/donate) Protects your Flarum community by checking passwords against [Have I Been Pwned](https://haveibeenpwned.com/Passwords) — a database of passwords exposed in known data breaches. Passwords are checked securely using the k-anonymity model: only the first 5 characters of the SHA-1 hash are ever sent to the API, so no plaintext password data leaves your server. Features -------- [](#features) - **Registration check** — blocks sign-up with a known-compromised password - **Password reset check** — prevents users from resetting to a known-compromised password - **Login check** *(optional)* — detects accounts already using a compromised password at login time and sends a password reset email automatically - **Admin revocation** *(optional)* — strips admin permissions from any account using a compromised password until it is changed - **Persistent notice banner** — shows analert to the affected user on every page until they change their password, with a "Resend Reset Email" button and a configurable "Learn More" link - **Configurable learn-more URL** — defaults to `haveibeenpwned.com/Passwords`; can be overridden in the admin panel with a forum-hosted explanation page How it works ------------ [](#how-it-works) Password checks use the [HIBP Pwned Passwords range API](https://haveibeenpwned.com/API/v3#PwnedPasswords) with k-anonymity: 1. The password is hashed with SHA-1 locally 2. Only the first 5 hex characters of the hash are sent to `api.pwnedpasswords.com` 3. The API returns all matching hash suffixes (padded to a consistent size) 4. The extension checks whether the full hash appears in the results — entirely client-side (server-side in PHP) No password or full hash is ever transmitted. Installation ------------ [](#installation) ``` composer require fof/pwned-passwords ``` Updating -------- [](#updating) ``` composer update fof/pwned-passwords php flarum migrate php flarum cache:clear ``` Configuration ------------- [](#configuration) Navigate to **Admin → Extensions → FoF Pwned Passwords**: SettingDescriptionEnable password check on loginCheck passwords at login and send a reset email if compromisedRevoke permissions from pwned adminsRemove admin access until the user changes their password"Learn More" link URLURL shown in the notice banner (defaults to `haveibeenpwned.com/Passwords`)Links ----- [](#links) [![Donate](https://camo.githubusercontent.com/8ea53c451470d1a72789d650c77e2b22eee915f7fbf2cbeeeeaa25f47301efe2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646f6e6174652d667269656e64736f66666c6172756d2d3434414545353f7374796c653d666f722d7468652d6261646765266c6f676f3d6f70656e2d636f6c6c656374697665)](https://opencollective.com/fof/donate) - [Packagist](https://packagist.org/packages/fof/pwned-passwords) - [GitHub](https://github.com/FriendsOfFlarum/pwned-passwords) - [Discuss](https://discuss.flarum.org/d/18348) An extension by [FriendsOfFlarum](https://github.com/FriendsOfFlarum). ### Health Score 45 — FairBetter than 92% of packages Maintenance62 Regular maintenance activity Popularity19 Limited adoption so far Community20 Small or concentrated contributor base Maturity70 Established project with proven stability Bus Factor3 3 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~139 days Recently: every ~234 days Total 20 Last Release 28d ago Major Versions 0.7.0 → 1.0.02021-05-23 1.x-dev → 2.0.0-beta.12026-04-14 ### Community Maintainers ![](https://www.gravatar.com/avatar/1298cdc0b2402a1aa34fb75a254947d655e090d62bd0531311331d369cac934e?d=identicon)[datitisev](/maintainers/datitisev) ![](https://www.gravatar.com/avatar/2273079abb11f0e0be6ae45180fd515babb0d3bba85cb79b4755851a8844bcea?d=identicon)[OrdinaryJellyfish](/maintainers/OrdinaryJellyfish) ![](https://www.gravatar.com/avatar/4415106be37759e15d2f1304df343a37e478dad0f832b6f35860631ffc9b6afb?d=identicon)[Ralkage](/maintainers/Ralkage) ![](https://www.gravatar.com/avatar/887d749e38ce714da8ef0063fa39a5ceb5085cd4fdb1f4bf4bbda28b116ab025?d=identicon)[CDK2020](/maintainers/CDK2020) --- Top Contributors [![OrdinaryJellyfish](https://avatars.githubusercontent.com/u/33029517?v=4)](https://github.com/OrdinaryJellyfish "OrdinaryJellyfish (26 commits)")[![dsevillamartin](https://avatars.githubusercontent.com/u/6401250?v=4)](https://github.com/dsevillamartin "dsevillamartin (15 commits)")[![imorland](https://avatars.githubusercontent.com/u/16573496?v=4)](https://github.com/imorland "imorland (15 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (11 commits)")[![flarum-bot](https://avatars.githubusercontent.com/u/39334649?v=4)](https://github.com/flarum-bot "flarum-bot (7 commits)")[![Ralkage](https://avatars.githubusercontent.com/u/2059356?v=4)](https://github.com/Ralkage "Ralkage (3 commits)")[![karaok491](https://avatars.githubusercontent.com/u/72854852?v=4)](https://github.com/karaok491 "karaok491 (3 commits)")[![samuelfranzini](https://avatars.githubusercontent.com/u/20537389?v=4)](https://github.com/samuelfranzini "samuelfranzini (2 commits)")[![clarkwinkelmann](https://avatars.githubusercontent.com/u/5264300?v=4)](https://github.com/clarkwinkelmann "clarkwinkelmann (2 commits)")[![4yx](https://avatars.githubusercontent.com/u/22258258?v=4)](https://github.com/4yx "4yx (2 commits)")[![manaszon](https://avatars.githubusercontent.com/u/26012925?v=4)](https://github.com/manaszon "manaszon (1 commits)") --- Tags composerflarumfriendsofflarumpwned-password-databaseflarum ### Embed Badge ![Health badge](/badges/reflar-pwned-passwords/health.svg) ``` [![Health](https://phpackages.com/badges/reflar-pwned-passwords/health.svg)](https://phpackages.com/packages/reflar-pwned-passwords) ``` ### Alternatives [fof/upload The file upload extension for the Flarum forum with insane intelligence. 188171.7k15](/packages/fof-upload)[fof/recaptcha Increase your forum's security with Google reCAPTCHA 1235.4k](/packages/fof-recaptcha) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)