React Hook for password input validation based on Justin Hall's hibp based on Troy Hunt's Have I been pwned?
This module implements NIST password guidelines to be applied to input elements within the body of a functional React Component.
Memorized secrets SHALL be at least 8 characters in length […]
There should no longer be a requirement to have a certain mix of special characters, upper case letters and numbers for a password. […]
Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. […]
Source: NIST Digital Identity Guidelines
yarn add react-hook-hibpimport React, { useState, useEffect } from 'react'
import { usePasswordCheck } from 'react-hook-hibp'
export default () => {
const [value, setValue] = useState('')
const onChange = e => setValue(e.target.value)
const [statusCode, checkPassword] = usePasswordCheck()
useEffect(() => checkPassword(value), [value])
return (
<>
<input type="password" value={value} onChange={onChange} />
<p>{value !== '' && statusCode}</p>
</>
)
}const [statusCode, checkPassword] = usePasswordCheck(options)Call checkPassword() on input change, handle form validation according to statusCode.
| Key | Description |
|---|---|
| MIN_LENGTH | Password is too short. |
| MAX_LENGTH | Password is too long. |
| WAITING | Waiting for API access for next check. |
| CHECKING | Checking password |
| CHECK_FAILED | Checking password failed |
| PWNED | Password insecure |
| NOT_PWNED | Password (probably) secure |
export const defaultOptions = {
minLength: 8,
maxLength: 128
}API Rate limiting is being respected and reflected in statusCodes.WAITING. Increase rate limit if you expect concurrent usage by different processes sharing the same IP.
Example:
import { setRateLimit } from 'react-hook-hibp'
setRateLimit(3000)-
k-anonymity: Only the first five characters of the hashed input are submitted to the haveibeenpwned.com range API.
-
API results are being cached non-persistently
This module is distributed under the MIT License.