Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

A simple JavaScript library to help you protect your users' passwords

License

Notifications You must be signed in to change notification settings

OktaSecurityLabs/passprotect-js

Repository files navigation

passprotect-js

Protect your user's passwords.

PassProtect demo

What is PassProtect?

PassProtect is a developer library created and maintained by Randall Degges that you can drop into any web page which dramatically improves the security of users accessing your website.

PassProtect works by binding itself to all input elements on the page of type email or password. Whenever a user enters a new value into one of these input elements, PassProtect will check the user's email / password against the fabulous Have I Been Pwned? API service to see whether or not the user's email OR password has been breached in the past.

Finally, if appropriate, PassProtect will inform the user that their credentials were previously breached, give them some useful information, and ask them to update their password as soon as they can to reduce the risk that their account will be compromised.

PassProtect is a new, experimental way to proactively notify users about data breaches and help casual web users play a more active role in protecting their online accounts.

We believe that by informing and guiding users to reset their credentials when necessary, we can all help make the web a safer place <3

How to Use PassProtect

To use PassProtect in your website, simply copy the following script tag anywhere on your page. Don't worry about where you put it: anywhere is fine. It will run once the page has loaded and will initialize itself without any configuration necessary.

<html>
  <head>
    <!-- ... -->
  </head>
  <body>
    <!-- ... -->
    <script src="https://cdn.passprotect.io/passprotect.min.js"></script>
  </body>
</html>

You'll ideally want to include the PassProtect script tag on every page that contains an input element. There is almost no performance penalty for including PassProtect on all pages of your site -- if a page doesn't contain any input elements, PassProtect won't do anything and will immediately exit.

To keep things simple, our recommended approach is to just include the PassProtect script on every page of your site.

Is PassProtect Secure?

YES!

PassProtect never sends or stores password information over the network. It uses k-Anonymity to safely communicate your sensitive data over the internet without risk.

PassProtect is also completely free, open source, and maintained by Randall Degges. If you want to audit the source, or have ideas about how to do things better, please open a GitHub issue or email me directly.

Changelog

1.0.0: May 24, 2018

  • Removing email breach detection functionality.

0.2.1: May 22, 2018

  • Improving form binding for posterity.

0.2.0: May 22, 2018

  • Removing redundant npm publish script.
  • Adding Firefox support.

0.1.0: May 19, 2018

  • First release! Yey.