- Edited
Pwned Passwords by FriendsOfFlarum
A Flarum extension that checks passwords against Have I Been Pwned's password database to check for anything seen in known data breaches.
Installation
Use Bazaar or install it with Composer:
composer require fof/pwned-passwords
Then log in and enable the extension.
Security
Some people may be wondering whether or not this extension is secure to use, since it supposedly checks passwords against an API to see if they've been in known data breaches. This extension is secure. Your passwords remain anonymous, whether or not you use this extension. When using the Pwned Passwords API, plain text is never sent. Your password is made into a SHA1 hash and the first 5 characters of that hash are sent to the API, and the API returns hashes that match those first 5 characters. The extension then does the comparing itself to see if there are any exact matches. Therefore, your password is not sent anywhere and remains anonymous.
Links
An extension by FriendsOfFlarum.