[Link to the mod](https://custom.simplemachines.org/index.php?mod=4306)
This enables checking passwords against the [Have-I-Been-Pwned](https://haveibeenpwned.com/Passwords) database. Passwords are only checked on registration and when changed on the profile.
Additionally this can attempt to check the password from the browser using the same API
SMF 2.1.0 or higher only!
PHP 7.3 or higher only
Nice! 8)
What's the differences between "Enable Server based Have-I-Been-Pwned Checks" and "Enable Client based Have-I-Been-Pwned Checks" and should I have them both checked?
Server side will have the server submit the checks to the api. While client side will let the browser submit the checks. The client side thus can do a more real time check while the server side is performed upon submission. You can run both.
Quote from: SleePy on March 04, 2022, 10:29:37 PMServer side will have the server submit the checks to the api. While client side will let the browser submit the checks. The client side thus can do a more real time check while the server side is performed upon submission. You can run both.
Ok thanks! Nice mod! 8)
Just saw this - it's be good if there was a way to periodically check peoples accounts/passwords as a matter of course (i.e. not just on change/registration). Is that even possible?
You can register your email to be notified if it shows up in a breach. You can register your domains you own to be notified if any email on them have a listing. There isn't one to tell you that your password has been found in a recent breach. You can follow Troy Hunt's blog and he will post about any new disclosures. You can then test your password again to see if it was breached.
As your password is in a one way hash, there is no way to take these hashes and compare it against your password hash. The password must be typed in for the API to work as it only sends partial passwords over the API.