brasilikum / is-password-known / IsPasswordKnown

This package checks a given password against the public API of haveibeenpwned.com

A typical use would look like this:

requestPassword : String -> Cmd Msg
requestPassword pass =
    pass
        |> hashAndCut
        |> Debug.log "This will be sent to HaveIBeenPawned.com"
        |> requestPossibleMatches
        |> Http.send PasswordResponse

The reason that hashAndCut is separate from requestPossibleMatches is so that the developer can easily inspect that the password does not actually get passed to the request, only the first five digets of it's hash

Generate the request to the API

hashAndCut : String -> Password

Hash your password and take only the first 5 characters. This is the only exposed function to create a password so you don't send your any passwords by accident.

requestPassword : String -> Cmd Msg
requestPassword pass =
    pass
        |> hashAndCut
        |> Debug.log "This will be sent to HaveIBeenPawned.com"
        |> requestPossibleMatches
        |> Http.send PasswordResponse

requestPossibleMatches : Password -> Http.Request String

Turn the previously hased password into a request to the API of HaveIBeenPawned.com. Because the password is hashed and limited to 5 characters, a potential Man-in-the-middle cannot easily capture the password.

Check the returned list for a match

isPasswordKnown : String -> Result Http.Error String -> Result Http.Error IsPasswordKnown

This takes the password and the result of the http request done before. If the http request errored, the error is retuned in the result


type IsPasswordKnown
    = PasswordUnknown
    | FoundInBreachedDataTimes Basics.Int

Possible results of a request to the HaveIBeenPawned API. Note that it does not matter how often a password was found in breaches: I it was found even once, it is on lists that are used in actual attacks!