This package checks a given password against the public API of haveibeenpwned.com
A typical use would look like this:
requestPassword : String -> Cmd Msg
requestPassword pass =
pass
|> hashAndCut
|> Debug.log "This will be sent to HaveIBeenPawned.com"
|> requestPossibleMatches
|> Http.send PasswordResponse
The reason that hashAndCut
is separate from requestPossibleMatches
is so that
the developer can easily inspect that the password does not actually get passed
to the request, only the first five digets of it's hash
hashAndCut : String -> Password
Hash your password and take only the first 5 characters. This is the only exposed function to create a password so you don't send your any passwords by accident.
requestPassword : String -> Cmd Msg
requestPassword pass =
pass
|> hashAndCut
|> Debug.log "This will be sent to HaveIBeenPawned.com"
|> requestPossibleMatches
|> Http.send PasswordResponse
requestPossibleMatches : Password -> Http.Request String
Turn the previously hased password into a request to the API of HaveIBeenPawned.com. Because the password is hashed and limited to 5 characters, a potential Man-in-the-middle cannot easily capture the password.
isPasswordKnown : String -> Result Http.Error String -> Result Http.Error IsPasswordKnown
This takes the password and the result of the http request done before. If the http request errored, the error is retuned in the result
Possible results of a request to the HaveIBeenPawned API. Note that it does not matter how often a password was found in breaches: I it was found even once, it is on lists that are used in actual attacks!