This plugin sends all changed password hashes to haveibeenpwned.com’s API to check whether they’ve been breached or not. If a password has been breached, the user is unable to set it as their password. Passwords are only checked when being set or changed, not every time a user logs in.
Using this plugin will send the user’s password (hashed with SHA1) to haveibeenpwned.com in order to complete the check. If you’re concerned about doing that, you can set up your own API with their data in order to do the checks privately.
To do this, set the
PASSWORD_CHECK_URL constant to the URL of your API endpoint:
PASSWORD_CHECK_URL constant is unset, all passwords will be sent to haveibeenpwned.com.
Is this secure?
Security products don’t have to be perfect, they just have to be better than not using them. Our guess is that for most WordPress sites they will gain more security from avoiding known compromised passwords than they will lose from submitting the passwords to HIBP.
If submitting hashed passwords to HIBP is too much of a risk, you can use your own API (see installation instructions for how to do this).
No screenshots provided