Copyright 2021 - Schultz IT Solutions - swiss servicequality for austrian and international enterprises - All rights reserved.

use the Have-I-been-pwned API outside our plugins

  • Rüdiger Schultz
  • Rüdiger Schultz's Avatar Topic Author
23 Aug 2017 11:25 - 24 Aug 2017 17:15 #1 by Rüdiger Schultz
use the Have-I-been-pwned API outside our plugins was created by Rüdiger Schultz
There might be other situations (not registration, password change or login), where you would like to check the email address (and possibly the password) of a user.

Well this indeed is easy to achieve (provided our password_pwned plugin is actually installed of course). See this example on how to do this:

$data = array ('password1' => 'CorrectHorseBatteryStaple');
$method = 'pwnedpassword';
$caller = 'yourOwnTextID';
$param4 = FALSE;

$response = Password_pwnedHelper::_callHIBPapi($data, $method, $caller, $param4);

switch ($response) 
case '200' :	// password was found in "Have-I-been-Pwned" database, this one is known to hackers
	if ( Password_pwnedHelper::getPluginParams('allowpwned', $caller, $this)  )
		$application->enqueueMessage(JText::_('PLG_PASSWORD_PWNED_MSG_PASSWORDFOUND'), 'warning');
		$application->enqueueMessage(JText::_('PLG_PASSWORD_PWNED_MSG_PASSWORDFOUND_BLOCK'), 'error');
		$return = FALSE;
	if ( Password_pwnedHelper::getPluginParams('showmoreinfo', $caller, $this)   )
		$url = JURI::base() . 'index.php?option=com_content&view=article&id=' .$this->params->get('articleidmoreinfo') ;
		$application->enqueueMessage($message, 'notice');
case '404' :	// password was not found in "Have-I-been-Pwned" database, should be OK
case '429' :	// Rate limit exceeded for "Have-I-been-Pwned" API callse
default    :
	$return = FALSE;

A few explaining words
The Password_pwnedHelper class should always be existing within the Joomla environment, as it is loaded in the "system" plugin. So you should be able to call it!

The _callHIBPapi method takes four parameters
  • $data : an assoziative array with your data (see example above)
  • $method : to check for a pwned password, use 'pwnedpassword'
  • $caller : identify your calling context by a text string, do not use 'plgSystem' or 'plgAuthentication' as these are reserved already!
  • $param4 : we suggest you provide FALSE here (it is not utilised in any other context than 'plgSystem')

you will receive a string representing the actual HTTP status response from the Have I been pwned? API, on which you can react.

Ruediger Schultz
Schultz IT Solutions

Please support jDBexport on JOOMLA Extension directory (JED) at
The topic has been locked.