kylemass/haveibeenpwned
A plugin to check if your users passwords have been pwned by a known data breach via https://haveibeenpwned.com
Maintainers
Requires
- php: >=5.6.4
- guzzlehttp/guzzle: ~6.0
- laravel/framework: 5.4.*
Requires (Dev)
None
Suggests
None
Provides
None
Conflicts
None
Replaces
None
MIT f28bc2fd2019d8a1a4a367c0b47cf498c6534d66
- Kyle Ellis <ky.ellis83.woop@gmail.com>
This package is not auto-updated.
Last update: 2026-06-21 12:39:28 UTC
README
Introduction
A plugin to check if your users passwords have been pwned by a known data breach via https://haveibeenpwned.com
Installation
Run:
composer require kylemass/haveibeenpwned:dev-master
Add the provider to your config file
KyleMass\Hibp\Providers\HibpServiceProvider::class
Add the Facade
'Hibp' => KyleMass\Hibp\Facades\Hibp::class
Next, publish the config file using:
php artisan vendor:publish --provider="KyleMass\Hibp\Providers\HibpServiceProvider" --tag=config
To Use:
Inside your validation just add the:
beenpwned validation rule.:
Validator::make($data, [ 'name' => 'required|string|max:255', 'email' => 'required|string|email|max:255|unique:users|beenpwned:false', 'password' => 'required|string|min:6|confirmed|beenpwned', ]);
Please take note: that there is a boolean parameter. By default this checks for passwords.
By leaving the parameter off or setting it to true it will check the password against the
Have I been pwned API. If you set it to false, this will check their account login name or password.
Also note that by using the validation on an email and/or username, you potentially wont pass validation for the registering user. Only use this if this is what you truly desire.
TODO:
- Make it framework agnostic
- Add validating to a local storage of pwned accounts