firesphere/haveibeenpwnd
Composer 安装命令:
composer require firesphere/haveibeenpwnd
包简介
Check if a user password is found in the Have I Been Pwned database.
README 文档
README
This module is not a replacement for two factor authentication.
Users are actively locked out if their password is found to be pwnd and forced to reset their password.
Although it adds to the user security te enforce unique passwords, this module will not prevent any password leaks like the ones used by HaveIBeenPwned.
Disclaimer
If this module breaks your website, you get to keep all the pieces.
Have I Been Pwned for SilverStripe
This module checks on password change and login, if the SHA1 of the password appears in the Have I Been Pwnd database.
There is never a full password transmitted to HaveIBeenPwned, only the first 5 characters of a SHA1 of the password, the response from HaveIBeenPwned is then compared locally.
Given the nature of HaveIBeenPwned, even if a password is intercepted (the connection is HTTPS and Troy Hunt is not the easiest when it comes to security), the password has already been out in the wild, so this scenario is a very unlikely one to cause more breaches.
Only a count of the amount of times the password shows in the database is collected, next to which known breaches contain the users Email or Username. This information about the password and the email are unrelated. HaveIBeenPwned does not provide a relation between the two. On purpose.
Requirements
SilverStripe Framework 4.x+ GuzzleHttp 6.x+ PHP 8.0+
Installation
composer require firesphere/haveibeenpwnd
Configuration
Making calls to the Have I Been Pwned API requires a key. There's a full blog post on why here.
To configure this module to use the key, define an environment variable on your server or your .env:
HIBP_API_KEY="MYAPIKEY1234567898765431"
Other configurations can be done in YML:
---
Name: MyPwnConfig
after: HaveIBeenPwnedConfig
---
Firesphere\HaveIBeenPwned\Services\HaveIBeenPwnedService:
allow_pwnd: false
save_pwnd: true
---
Only:
environment: dev
---
Firesphere\HaveIBeenPwned\Services\HaveIBeenPwnedService:
allow_pwnd: true
Parameters
allow_pwnd If set to true, passwords that appear in the Have I been Pwnd database will be allowed
save_pwnd If set to true, all the breaches in which the user's username or email address appears
Applying the validator extension to other PasswordValidators
Add the following to either of your config yml files. (Suggested is using an extensions.yml file)
MyVendor\MyNameSpace\MyPasswordValidator:
extensions:
- Firesphere\HaveIBeenPwned\Extensions\PasswordValidatorExtension
Replacing the vendor\namespace\validator with your own Validator namespace and classname
By default, if the default PasswordValidator isn't registered, this module will register it
to make sure the changes are applied. You can override this in your own _config.php file.
Only environment
To not make engineers life impossible and allow for using pwnd passwords on local environments in dev mode,
by default, the Pwnd service is turned off in dev mode
Can I USe
Simply put? Sure. Admitted, this is Open Source software, and in theory, you can use it any way you want.
You can license this work, by buying a usage subscription. It will allow you to request support, or just supporting the developer.
Did you read this entire readme? You rock!
Pictured below is a cow, just for you.
/( ,,,,, )\
_\,;;;;;;;,/_
.-"; ;;;;;;;;; ;"-.
'.__/`_ / \ _`\__.'
| (')| |(') |
| .--' '--. |
|/ o o \|
| |
/ \ _..=.._ / \
/:. '._____.' \
;::' / \ .;
| _|_ _|_ ::|
.-| '==o==' '|-.
/ | . / \ | \
| | ::| | | .|
| ( ') (. )::|
|: | |; U U ;|:: | `|
|' | | \ U U / |' | |
##V| |_/`"""`\_| |V##
##V## ##V##
firesphere/haveibeenpwnd 适用场景与选型建议
firesphere/haveibeenpwnd 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 396 次下载、GitHub Stars 达 0, 最近一次更新时间为 2018 年 07 月 14 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「password」 「silverstripe」 「haveibeenpwned」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 firesphere/haveibeenpwnd 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 firesphere/haveibeenpwnd 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 firesphere/haveibeenpwnd 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
The PHP class PasswordGenerator serves as a password generator to create memorable passwords like the keychain of macOS ≤ 10.14 did.
PHP Client for haveibeenpwned.com APIs
Accessing haveibeenpwned.com API's from Symfony applications.
Verify hashed passwords against HIBP
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
统计信息
- 总下载量: 396
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 3
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: LGPL-3.0-or-later
- 更新时间: 2018-07-14