WSC 3.0, 3.1 & 5.2 Have I Been Pwned (HIBP)

You may notice, that many sections are currently only available in german. We are working hard to provide a full translation of our website, but this might take some time. Thank you for understanding.

Did you know?

Our Season Pass grants you access to all our existing and future (commercial) extensions for WoltLab Suite 3.0, 3.1 & 5.2 incl. Branding Free.

Weitere Informationen

Have I Been Pwned (HIBP)


0 Reviews
Product information

Checks for leaked passwords using HaveIBeenPwned during password validation processes and informs the user if his password has been found in a public password list.

Support forum
WSC 5.2 (Hurricane) / WSF 5.2

Product description

Insecure passwords are a big problem and will always be. But much worse are passwords that become public due to hacks (usually in combination with the email address). In such a case, you can often be sure that the passwords are stored in encrypted form on the websites concerned, but even the best encryption does not necessarily protect against the password being published in plain text at some point in time, e.g. through so-called brute force attacks. And it gets even worse: Often one does not learn anything about such incidents and is confronted with a fait accompli at some point (e.g. in the form of a spam email).

The "Have I Been Pwned (HIBP)" extension is designed to help you and your users to identify weak passwords as well as passwords published by hacker attacks and to alert those affected to this fact by asking them to choose a different password or change the password already in use.

For example, at each login and user registration, the extension generates a SHA1 hash of the entered password and sends the first 5 (of 40) digits of this SHA1 hash to the online service Have I Been Pwned / Pwned Passwords and then receives a list of all SHA1 hashes beginning with these 5 digits. In this list (stored locally on your server), the extension then searches for the remaining 35 digits of the previously generated SHA1 hash and returns a corresponding warning if it is found. This warning can (but should not) be ignored by the user concerned. There is no compulsion to change the password.

Data protection

Of course, we have paid full attention to the protection of your data during the development of this extension. At no time will personal data such as user name, e-mail or IP address or the password itself be transmitted. Only the first 5 digits of the above-mentioned SHA1 hash will be transmitted to the service Have I Been Pwned / Pwned Passwords with headquarters in the USA. These 5 digits give absolutely no information about the password used and cannot be used for reproduction. Communication is also exclusively encrypted.

Can I see who is using an insecure password (e.g. to inform the user)?

No. This information is only shown to the user himself during password validation (e.g. during login or in user administration). The password status, for example, is not stored.

What happens if the external service is not available?

If the service is temporarily unavailable, e.g. due to maintenance work or connection problems, the password entered is considered secure at least until the next validation (e.g. the next login). A disruption of service notification will not occur.

Average Rating

0 of 5 (0 Reviews)
  • 5 Stars (0)
  • 4 Stars (0)
  • 3 Stars (0)
  • 2 Stars (0)
  • 1 Star (0)
Write Review

Currently no review is available. Be the first to write a review!