This plugin sends the first 5 characters of the SHA1 hash of the password to the haveibeenpwned.com database of over 500 million passwords exposed in data breaches. If the password is found, Matomo rejects it and asks the user to use a more secure password.

This plugin only acts on passwords changes and can't access existing passwords as they are stored securely hashed by Matomo.

Disclaimer

Attention: This is a beta plugin. Please don't use it in security critical environments without checking the correctness of the source yourself.


View and download this plugin for a specific Matomo version:

This plugin is rejecting too many passwords. Can I set a threshold of occurances required to reject a password?

Not yet, but it would be very easy to add. If you are interested, just contact me.

Download for Matomo On-Premise This plugin is not available for Matomo for WordPress

View and download this plugin for a specific Matomo version:


Please share