Menu Close

Password check with haveibeenpwned

The website haveibeenpwned.com provides, among other things, a list of passwords that have appeared in data leaks.

haveibeenpwned is secure

For verification, the complete password is never sent, but only a small partial hash value.

The pwned passwords function used searches the database of previous data leaks for the presence of a user-supplied password. The password is hashed using the SHA-1 algorithm and only the first 5 characters of the hash are sent.

Integration with ISPConfig

In the Main Config section you can set the maximum number of entries a password may have when querying the haveibeenpwned database in the “Misc” tab.

If a password is entered that is in the database more times than you have allowed, a hint is displayed and the password cannot be used.