Disallow Pwned Password

€0

Disallow WordPress and WooCommerce users using pwned passwords. Goal Spoiler Alert: User passwords never leave your server, not even in hashed form. Although reusing passwords is solely

Version	0.3.2
Last updated	2018.11.28
Active installations	20
WordPress Version	4.9.8
Tested up to	5.0.20
PHP Version	7.0
pa_languages	English,(US),Norwegian,(Bokmål)
Rating	5.00
Total ratings	2
Tag	authenticationpasswordsecurity

This plugin is outdated and might not be supported anymore.

Go back

View on WordPress site

Description

Disallow WordPress and WooCommerce users using pwned passwords.

Goal

Spoiler Alert: User passwords never leave your server, not even in hashed form.

Although reusing passwords is solely users’ fault but when evil attackers brute forced users’ passwords, and stole all their personal information or spent users’ hard earn money through your site. Those lazy users blame you, the site owner/developer.

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,…

Passwords obtained from previous breach corpuses

— NIST Digital Identity Guidelines

This plugin’s solely purpose is to disallow WordPress and WooCommerce users reusing passwords listed in Have I Been Pwned database.

Usage

Activate and forget.

This plugin intercepts when:

creating new users on /wp-admin/user-new.php
changing other users’ passwords on /wp-admin/user-edit.php
changing your password on /wp-admin/profile.php
new user registration on /wp-login.php?action=rp

Additional interceptions if WooCommerce is installed:

WC_Form_Handler::process_reset_password on Home » My account » Lost password
WC_Form_Handler::save_account_details on Home » My account » Account details
WC_Form_Handler::process_registration on Home » My account
WC_Checkout::validate_checkout on Home » Checkout

Explain It Like I’m Five

Troy Hunt, a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches
Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com
Whenever WordPress / WooCommerce users attempt to change their passwords, this plugin hashes the user password
Take the first 5 characters from the hash
Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters
Check how many times the user password appears on the have I been pwned database
Disallow the password change if it has been pwned

Users aged older than five could learn more from:

For Developers

Fork the plugin on GitHub.