mxrxdxn / pwned-passwords Goto Github PK

In your readme.md you write:

The isInsecure method will return true if the password has been found in the PwnedPasswords API, and false if not.

However due to the option $maxUsage = 1 and

               if (intval($passwordLine[1]) > $maxUsage) {
                    return true;
                }

(n.b. you used greater) the function returns false for passwords found exactly once in the API.

I tested it using the hash ABCDE028DA52CF202EA546E9A7669C7614D64DCD, but I don't know what password it's for (i just found it having one appearance for ABCDE :-)).

To fix that I suggest to set the default value for $maxUsage to 0 in order to comply with the function documentation, the readme and the naming of $maxUsage (which to me implies that a password occurring exactly $maxUsage times should return false).

Greetings
Nmxcgeo

Im just getting blank pages, things should just work out of the box but with php password checks for have i been pwned just shows blank pages and warnings upon install saying its outdated! i expect a page with a form a user can put in there password and then it will be checked i need this done in plain text as i dont use sha or md5 i use a custom password algo that wont be found anywhere so plaintext or sha1 version of password may still work but at present all i get is blank pages this is not good, along with using bs libraries is also not ideal, stick to native php code no libs required and then things wont go wrong i hate using composer and other frameworks again just stick to native php code get this working all from 1 php file as your only sending data to api and getting response after all so i expect this to be fixed and all redundant bs code an libs to be removed and 1 single native php to just return is password is compromised or not when can i expect this new update?

ps iv tried 2 now an running out of patients all i want is this simple concept working for users can be secure thats all! thanks!

put in how i can do this manually if you wont update your old crappy code please. i dont mind doing it just explain how i could do it how i describe thanks

How to reproduce:

1. Unset curl.cainfo in php.ini or change the API URL to something invalid

2. Run the following script

<?php

require_once('vendor/autoload.php');

$pp = new PwnedPasswords\PwnedPasswords;

// will return false
var_dump($pp->isInsecure('password'));