Protect your WordPress site's users from using breached passwords!
With Forbid Pwned Passwords, your site's users will receive errors if they attempt to set their password to one found in a known breach, forcing them to choose a new one.
This can help to mitigate
credential stuffing attacks against your site and its users.
This plugin makes use of Troy Hunt's
Have I Been Pwned? API. Using k-anonymity methods, only a partial SHA-1 hash of the password
is sent to
the API in order to produce a list of hashes for local testing. This means
no passwords are ever sent to third parties.
You can learn more about the Have I Been Pwned API
here.