Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.This module checks user passwords using Troy Hunt's excellent Have I Been Pwned (HIBP) service.
Specifically it uses the Pwned Passwords V2 (/ v3 - there's not much difference) API which means that only the first 5 characters of the hash of each password checked are sent to the HIBP API (over https).
The module has configurable policies for registration, password change and login. Each policy can block the use of compromised ("pwned") passwords, emit a warning, or do nothing (ignore). By default pwned passwords are blocked at registration or password change, and a warning is emitted at login.
There is also a configurable threshold based on the count for each pwned password returned by the API; higher counts indicate more commonly used (/ breached) passwords.
Thanks to Koen Verheyen for the original implementation.
This module has been developed for Drupal 7. The options for Drupal 10+ sites include:
Project information
- Module categories: Security, Integrations, Access Control
1,542 sites report using this module- Created by mcdruid on , updated
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
7.x-2.1
released 8 December 2023
released 8 December 2023
Works with Drupal: 7.x
✓ Recommended by the project’s maintainer.
Updated to HIBP API v3
Development version: 7.x-2.x-dev updated 8 Dec 2023 at 12:35 UTC
