Happy world password day! CFML_HIBP password checker

Jay_B · May 4, 2023, 3:13pm

A few years ago I built a simple tool called CFML_HIBP to check passwords against the HaveIBeenPwnd API. Might be useful for some of you to add to your pwd management pages.

Michele_Scaletta · May 5, 2023, 2:25pm

I think it would be good to start implementing some passkey libraries that will soon be available on chrome and chromium as well. . I’ve taken a look at the WebAuthn API and could start studying the subject from here:

Jamo · May 5, 2023, 8:45pm

I saw in the source code that you were welcoming updates to regex. I modified your CFC as a UDF to return a single numeric breach count (so I could use it as an API) and used regex. Here’s the UDF source:

gist.github.com

https://gist.github.com/JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3

getPasswordBreachCount.cfm

<!--- 20230505 Inspired by on https://github.com/JayIsPainting/CFML_HIBP but returns a numeric value (for use with APIs)
GIST: https://gist.github.com/JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3
--->
<cffunction name="getPasswordBreachCount" returntype="numeric" output="no" access="public" hint="Checks supplied password against HaveIBeenPwnd Passwortd APIv2 and returns number of breachs.">
	<cfargument name="pwd" type="string" required="true">
	<cfset local.passwordHash = hash(arguments.pwd, "SHA")>
	<cfset local.prefix = left(hash(arguments.pwd, "SHA"), 5)>
	<cfset local.passMatch = right(local.passwordHash, len(local.passwordHash)-5)>

	<cfhttp url="https://api.pwnedpasswords.com/range/#local.prefix#" method="get" useragent="CFML_PwnChk" result="local.cfhttp" getasbinary="never"></cfhttp>

This file has been truncated. show original

Jay_B · May 23, 2023, 1:13pm

Nice! Thanks