Initial release

2023-01-12 11:59:58 +01:00 · 2023-01-12 11:59:58 +01:00 · 29d2c37103
commit 29d2c37103
parent dceafe326f
2 changed files with 79 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,16 @@
-# Breached-password-check
-PHP function for checking passwords against the "Have I been Pwned" database
+# Password check using k-Anonymity
+PHP function for checking passwords against the pwnedpasswords.com database
+
+You can add this function inside your functions file.
+
+k-Anonymity means that it does NOT send your password over the internet but hashes it and only sends a part of the hash to request a list of all hashed passwords which have been compromised. 
+You will not send your password over the internet!
+
+For example your password is 'Welcome01'
+
+This will be hashed to: a1a2094820f0313d61da4f44032013eaf6c2b7d3
+Only 'a1a20' will be send to the pwnedpasswords.com API which will return a list of ALL passwords which have been compromised where the hash starts with 'a1a20'. 
+
+You then download that list and check if the full hashed password is found it the list.
+
+In case it is found your password is compromised and you can build your site that this password cannot be used or just warn the user.
--- a/check_password.php
+++ b/check_password.php
@ -0,0 +1,63 @@
+<?php
+function password_check($password_check_input) {
+
+// Encrypt your password and uppercase all chars
+$sha1_password = strtoupper(sha1($password_check_input));
+// Trim to the first 5 characters of the hash
+$sha1_password_short = substr($sha1_password, 0, 5);
+
+// Fetch hash list
+$curl = curl_init();
+
+        curl_setopt_array($curl, array(
+                CURLOPT_URL => "https://api.pwnedpasswords.com/range/$sha1_password_short",
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_ENCODING => "",
+                CURLOPT_MAXREDIRS => 10,
+                CURLOPT_TIMEOUT => 30,
+                CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+                CURLOPT_CUSTOMREQUEST => "GET",
+                CURLOPT_HTTPHEADER => array(
+                        "content-type: text/plain"
+                ),
+        ));
+
+$response = curl_exec($curl);
+$err = curl_error($curl);
+
+// Put reponse into an array
+$lines = explode(PHP_EOL, $response);
+
+// Set hitcounter to ZERO
+$hitcounter=0;
+
+// Loop through all lines
+foreach ($lines as $line => $row) {
+        // Join the 5 sha1 chars with the result
+        $row = $sha1_password_short . $row;
+        // Break output
+        $row = explode(':', $row);
+        // Set hash as row (part zero of the explode)
+        $row = $row[0];
+
+        // Check if the hash matches your encrypted password
+        if ($row == $sha1_password) {
+                $hitcounter++;
+        }
+}
+
+curl_close($curl);
+
+if ($err) {
+        echo "cURL Error: $err";
+}
+
+if ($hitcounter != 0) {
+        echo "<p><center>The chosen password is known as a breached password!<br>
+        Please select a different password</center></p>";
+        die;
+}
+}
+
+password_check($MySsecretPassword);
+?>