A package to determine if a given password has been "pwned", meaning the password has been compromised and may be used in a credential stuffing type attack. This package makes use of the "pwned passwords" feature of "Have I Been Pwned" https://haveibeenpwned.com/, which was created by Troy Hunt.
go get "github.com/ecnepsnai/go-pwnedpassword/
To check if a password has been compromised:
import "github.com/ecnepsnai/go-pwnedpassword"
password := "Your Users Password"
result, err := pwned.IsPwned(password)
if err != nil {
// Something went wrong (probably couldn't contact the pwned password API)
}
if !result.Pwned {
// Password hasn't been seen before. Doesn't mean it's safe, just lucky.
} else {
count := result.TimesObserved
// Password has been seen `count` times before.
}If you want, you can also use pwned.IsPwnedAsync to check asynchronously:
import "github.com/ecnepsnai/go-pwnedpassword"
pwned.IsPwnedAsync(req.Password, func(result *pwned.Result, err error) {
if err != nil {
// Something went wrong (probably couldn't contact the pwned password API)
}
if !result.Pwned {
// Password hasn't been seen before. Doesn't mean it's safe, just lucky.
} else {
count := result.TimesObserved
// Password has been seen `count` times before.
}
})MIT
go-pwnedpassword is not endorsed or affiliated with Troy Hunt, Have I Been Pwned, or Pwned Passwords.