PHPackages                             simplygoodwork/craft-pwny - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation & Sanitization](/categories/validation)
4. /
5. simplygoodwork/craft-pwny

ActiveCraft-plugin[Validation & Sanitization](/categories/validation)

simplygoodwork/craft-pwny
=========================

Validate user passwords against the Pwned Passwords API

1.0.2(11mo ago)101proprietaryPHPPHP ^8.2

Since Dec 2Pushed 11mo agoCompare

[ Source](https://github.com/simplygoodwork/craft-pwny)[ Packagist](https://packagist.org/packages/simplygoodwork/craft-pwny)[ RSS](/packages/simplygoodwork-craft-pwny/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (3)Dependencies (1)Versions (4)Used By (0)

Pwny plugin for Craft CMS
=========================

[](#pwny-plugin-for-craft-cms)

Enhance your site's security by ensuring users select stronger passwords than `password`. The plugin employs the k-Anonymity method to validate passwords against the Pwned Passwords API without compromising user privacy by revealing passwords to an external service.

This plugin was inspired by the Cloudflare blog post [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/) and this one by [Troy Hunt](https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/) creator of the [Have I Been Pwnd](https://haveibeenpwned.com/?ref=troyhunt.com) service.

[![Error message](./images/error.png)](./images/error.png)

Requirements
------------

[](#requirements)

This plugin requires Craft CMS `5.3.0` or later.

The plugin needs to make a call to the free [Have I Been Pwnd API](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange) at the address `https://api.pwnedpasswords.com/` in case you need to whitelist this on your host.

Installation
------------

[](#installation)

To install the plugin, follow these instructions:

```
composer require "simplygoodwork/craft-pwny:^1.0.0" -w && php craft plugin/install pwny

```

for DDEV users:

```
ddev composer require "simplygoodwork/craft-pwny:^1.0.0" -w && ddev craft plugin/install pwny

```

Settings
--------

[](#settings)

You can toggle the service, restrict to just users with CP access and customise the error message.

[![Settings](./images/settings.png)](./images/settings.png)

If you want to toggle the plugin on/off using environment variables, you could create a `config/pwny.php` file to override this setting. The example below uses `PWNY_ENABLED` in `.env` but defaults to `true` (on) if the variable can't be found:

```