Not Pictured: Mangoes

    hibpvalidator

    1.0.0 • Public • Published

    HibpClientValidator

    Client Validator for MVC (both Core and Framework) that validates passwords against the https://haveibeenpwned.com/ password database. It will not tell how many times a password has been used as it is not relevant. If it has been leaked, it should not be used again.

    Installation

    Install-Package Sustainable.Web.Mvc.HibpClientValidator

    Usage

    In the models that you want to check (hint: RegisterViewModel and ChangePasswordViewModel are good candidates)

    add

    using HibpClientValidator;

    and decorate the appropriate properties with the Hibp attribute:

    [Hibp("This password has been exposed in password leaks, please choose another", "Checking password...")]

    Make sure to add hibpvalidator.js and sha1.js to one of your bundles or directly to your form pages:

    <script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha1/0.6.0/sha1.js" integrity="sha256-LmIVkNdxjrHbViQZD9LSewZc+3rU/alc7P/UJj6mUPc=" crossorigin="anonymous"></script>
    <script src="~/scripts/hibpvalidator.js"></script>

    Alternatives

    Why should you use this instead of something like: https://www.nuget.org/packages/Matrixsoft.PwnedPasswords/

    Since this is a client validator, it runs in the users browser. This creates a better user experience (it is faster) and the bandwith is reduced from the server. It is damn easy to implement.

    Accolades

    Obviously this is a small wrapper for the massive work done by Troy Hunt:

    Demonstration

    The package is in live use on these sites (make a PR if you know more)

    Install

    npm i hibpvalidator

    DownloadsWeekly Downloads

    7

    Version

    1.0.0

    License

    MIT

    Unpacked Size

    4.48 kB

    Total Files

    3

    Last publish

    Collaborators

    • peterobel