Initial release
This commit is contained in:
Frank Bischof
parent
dceafe326f
commit
29d2c37103
18
README.md
18
README.md
@ -1,2 +1,16 @@
|
|||||||
# Breached-password-check
|
# Password check using k-Anonymity
|
||||||
PHP function for checking passwords against the "Have I been Pwned" database
|
PHP function for checking passwords against the pwnedpasswords.com database
|
||||||
|
|
||||||
|
You can add this function inside your functions file.
|
||||||
|
|
||||||
|
k-Anonymity means that it does NOT send your password over the internet but hashes it and only sends a part of the hash to request a list of all hashed passwords which have been compromised.
|
||||||
|
You will not send your password over the internet!
|
||||||
|
|
||||||
|
For example your password is 'Welcome01'
|
||||||
|
|
||||||
|
This will be hashed to: a1a2094820f0313d61da4f44032013eaf6c2b7d3
|
||||||
|
Only 'a1a20' will be send to the pwnedpasswords.com API which will return a list of ALL passwords which have been compromised where the hash starts with 'a1a20'.
|
||||||
|
|
||||||
|
You then download that list and check if the full hashed password is found it the list.
|
||||||
|
|
||||||
|
In case it is found your password is compromised and you can build your site that this password cannot be used or just warn the user.
|
||||||
63
check_password.php
Normal file
63
check_password.php
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
<?php
|
||||||
|
function password_check($password_check_input) {
|
||||||
|
|
||||||
|
// Encrypt your password and uppercase all chars
|
||||||
|
$sha1_password = strtoupper(sha1($password_check_input));
|
||||||
|
// Trim to the first 5 characters of the hash
|
||||||
|
$sha1_password_short = substr($sha1_password, 0, 5);
|
||||||
|
|
||||||
|
// Fetch hash list
|
||||||
|
$curl = curl_init();
|
||||||
|
|
||||||
|
curl_setopt_array($curl, array(
|
||||||
|
CURLOPT_URL => "https://api.pwnedpasswords.com/range/$sha1_password_short",
|
||||||
|
CURLOPT_RETURNTRANSFER => true,
|
||||||
|
CURLOPT_ENCODING => "",
|
||||||
|
CURLOPT_MAXREDIRS => 10,
|
||||||
|
CURLOPT_TIMEOUT => 30,
|
||||||
|
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
|
||||||
|
CURLOPT_CUSTOMREQUEST => "GET",
|
||||||
|
CURLOPT_HTTPHEADER => array(
|
||||||
|
"content-type: text/plain"
|
||||||
|
),
|
||||||
|
));
|
||||||
|
|
||||||
|
$response = curl_exec($curl);
|
||||||
|
$err = curl_error($curl);
|
||||||
|
|
||||||
|
// Put reponse into an array
|
||||||
|
$lines = explode(PHP_EOL, $response);
|
||||||
|
|
||||||
|
// Set hitcounter to ZERO
|
||||||
|
$hitcounter=0;
|
||||||
|
|
||||||
|
// Loop through all lines
|
||||||
|
foreach ($lines as $line => $row) {
|
||||||
|
// Join the 5 sha1 chars with the result
|
||||||
|
$row = $sha1_password_short . $row;
|
||||||
|
// Break output
|
||||||
|
$row = explode(':', $row);
|
||||||
|
// Set hash as row (part zero of the explode)
|
||||||
|
$row = $row[0];
|
||||||
|
|
||||||
|
// Check if the hash matches your encrypted password
|
||||||
|
if ($row == $sha1_password) {
|
||||||
|
$hitcounter++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
curl_close($curl);
|
||||||
|
|
||||||
|
if ($err) {
|
||||||
|
echo "cURL Error: $err";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($hitcounter != 0) {
|
||||||
|
echo "<p><center>The chosen password is known as a breached password!<br>
|
||||||
|
Please select a different password</center></p>";
|
||||||
|
die;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
password_check($MySsecretPassword);
|
||||||
|
?>
|
||||||
Loading…
Reference in New Issue
Block a user