SEO & Accessibility
Localization
Ecommerce
Forms
Fields
Development
Security
Templating
Performance
Control Panel
Widgets
Assets
Utilities
Mailer Adapters
Social Networking
Integrations
Introducing Pwny (pronounced “po-nee”), the latest security-focused plugin with a tenuous equestrian pun from the Good Work stable. This plugin is designed to enhance your Craft CMS site security by ensuring users avoid passwords exposed in data breaches.
Inspired by Cloudflare’s blog post on Validating Leaked Passwords with k-Anonymity and Troy Hunt’s work on Have I Been Pwned, Pwny employs a k-Anonymity method to validate passwords against the Pwned Passwords API without compromising user privacy.
Although Craft CMS encrypts passwords, we can implement additional security measures during the password-setting process. Pwny hashes passwords and sends only the first part to the Pwned Passwords API. Due to the way hashes work, it's not possible to infer the password from this information. The API returns a list of matching hashes, which we can compare locally to identify risky passwords.
Pwny is easy to download and configure. The password-checking API doesn’t require a key, so you can start using it with default settings.
To install this plugin, copy the command above to your terminal.
This plugin doesn't have any reviews.