pwned-sqlite3
Use a local sqlite3 db for checking if a password is pwned.
You must be using Node.js v10.20.1 or above for better-sqlite3. Prebuilt binaries for better-sqlite3 are available for LTS versions.
Build your database
Download the SHA-1 password list (tested with "Version 7 (ordered by hash)" from Have I Been Pwned.
Use build_database.py (see github-repo) to build the database. Modify if necessary the variables path
and dbName
. Python is about 30x faster than an equivalent solution in node.
Code Snippet
import { join } from "path";
import { pwned, connect } from "pwned-sqlite3";
connect(join(__dirname, "pwned.sqlite3"));
function isPwned(value: string) {
return (pwned(value));
}
Avoiding Supply Chain Attacks
I activated 2FA for npmjs. But you could also just copy the code directly into your project and never worry about a possible tainted package, as the package is actually pretty simple.