BLOG // May 5, 2021

Check if passwords have been compromised in Laravel

An awesome new Laravel 8 validation change is the addition of the uncompromised() option for password validation.

Simply put, you can add uncompromised() to your Password validation (as shown below) to check that the password has not been involved in a password leak.

$request->validate([
    'password' => [
        'required',
        'confirmed',
        Password::min(8)
            ->mixedCase()
            ->letters()
            ->numbers()
            ->symbols()
            ->uncompromised(),
    ],
]);

How does it work?

It leverages the Have I Been Pwnd API in order to check against their k-Anonymity model which allows by partial hash matching. This allows the first 5 characters of a SHA-1 password hash to be passed to the API.

It then returns matching passwords that have those first 5 characters - ensuring you don't leak the hash that you generated, but rather letting you ask for a set of passwords and verifying it yourself. Interestingly, the first 5 characters will on average return 478 hash suffixes.

You can learn more about k-Anonymity models at Wikipedia. In summary they exist in order to prevent you from sharing the data you are trying to verify (like a password).

Comments

Subscribe to new articles

If you enjoy my content, consider subscribing. You will only receive new blog stories, no other email.