Pwny plugin for Craft 5

Introducing Pwny (pronounced “po-nee”), the latest security-focused plugin with a tenuous equestrian pun from the Good Work stable. This plugin enhances your Craft CMS site security by ensuring users avoid passwords exposed in data breaches.

Inspired by Cloudflare’s blog post on Validating Leaked Passwords with k-Anonymity and Troy Hunt’s work on Have I Been Pwned, Pwny employs a k-Anonymity method to validate passwords against the Pwned Passwords API without compromising user privacy.

Have I Been Pwned is a popular service that aggregates leaked login credentials to alert users when their information may have been compromised. This service has been integrated into various security tools and utilized by government agencies to mitigate cybercrime.

The Pwned Passwords API provides a dataset of commonly used passwords that hackers often exploit in “credential stuffing” attacks. While it’s ideal to use unique passwords for each account, many users don’t. By preventing users from selecting weak, compromised passwords, Pwny helps reduce the risk of account breaches.

Although Craft CMS encrypts passwords, we can implement additional security measures during the password-setting process. Pwny hashes passwords and sends only the first part to the Pwned Passwords API. Due to the way hashes work, it's not possible to infer the password from this information. The API returns a list of matching hashes, which we can compare locally to identify risky passwords.

Pwny is easy to download and configure. The password-checking API doesn’t require a key, so you can start using it with default settings.

Fun fact: The word "pwned" has origins in video game culture and is a leetspeak derivation of the word "owned", due to the proximity of the "o" and "p" keys. It's typically used to imply that someone has been controlled or compromised, for example, "I was pwned in the Adobe data breach."