Initial release
This commit is contained in:
Frank Bischof
parent
dceafe326f
commit
29d2c37103
18
README.md
18
README.md
|
|
@ -1,2 +1,16 @@
|
|||
# Breached-password-check
|
||||
PHP function for checking passwords against the "Have I been Pwned" database
|
||||
# Password check using k-Anonymity
|
||||
PHP function for checking passwords against the pwnedpasswords.com database
|
||||
|
||||
You can add this function inside your functions file.
|
||||
|
||||
k-Anonymity means that it does NOT send your password over the internet but hashes it and only sends a part of the hash to request a list of all hashed passwords which have been compromised.
|
||||
You will not send your password over the internet!
|
||||
|
||||
For example your password is 'Welcome01'
|
||||
|
||||
This will be hashed to: a1a2094820f0313d61da4f44032013eaf6c2b7d3
|
||||
Only 'a1a20' will be send to the pwnedpasswords.com API which will return a list of ALL passwords which have been compromised where the hash starts with 'a1a20'.
|
||||
|
||||
You then download that list and check if the full hashed password is found it the list.
|
||||
|
||||
In case it is found your password is compromised and you can build your site that this password cannot be used or just warn the user.
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
<?php
|
||||
function password_check($password_check_input) {
|
||||
|
||||
// Encrypt your password and uppercase all chars
|
||||
$sha1_password = strtoupper(sha1($password_check_input));
|
||||
// Trim to the first 5 characters of the hash
|
||||
$sha1_password_short = substr($sha1_password, 0, 5);
|
||||
|
||||
// Fetch hash list
|
||||
$curl = curl_init();
|
||||
|
||||
curl_setopt_array($curl, array(
|
||||
CURLOPT_URL => "https://api.pwnedpasswords.com/range/$sha1_password_short",
|
||||
CURLOPT_RETURNTRANSFER => true,
|
||||
CURLOPT_ENCODING => "",
|
||||
CURLOPT_MAXREDIRS => 10,
|
||||
CURLOPT_TIMEOUT => 30,
|
||||
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
|
||||
CURLOPT_CUSTOMREQUEST => "GET",
|
||||
CURLOPT_HTTPHEADER => array(
|
||||
"content-type: text/plain"
|
||||
),
|
||||
));
|
||||
|
||||
$response = curl_exec($curl);
|
||||
$err = curl_error($curl);
|
||||
|
||||
// Put reponse into an array
|
||||
$lines = explode(PHP_EOL, $response);
|
||||
|
||||
// Set hitcounter to ZERO
|
||||
$hitcounter=0;
|
||||
|
||||
// Loop through all lines
|
||||
foreach ($lines as $line => $row) {
|
||||
// Join the 5 sha1 chars with the result
|
||||
$row = $sha1_password_short . $row;
|
||||
// Break output
|
||||
$row = explode(':', $row);
|
||||
// Set hash as row (part zero of the explode)
|
||||
$row = $row[0];
|
||||
|
||||
// Check if the hash matches your encrypted password
|
||||
if ($row == $sha1_password) {
|
||||
$hitcounter++;
|
||||
}
|
||||
}
|
||||
|
||||
curl_close($curl);
|
||||
|
||||
if ($err) {
|
||||
echo "cURL Error: $err";
|
||||
}
|
||||
|
||||
if ($hitcounter != 0) {
|
||||
echo "<p><center>The chosen password is known as a breached password!<br>
|
||||
Please select a different password</center></p>";
|
||||
die;
|
||||
}
|
||||
}
|
||||
|
||||
password_check($MySsecretPassword);
|
||||
?>
|
||||
Loading…
Reference in New Issue