Estimate strength of users' new password input with zxcvbn, and query haveibeenpwned for matches against known hacked accounts

First things first - the goods: GitHub - detroitenglish/pw-pwnage-cfworker: Deploy a Cloudflare Worker to sanely score users' new passwords with zxcvbn AND check for matches against haveibeenpwned's 10+ billion breached accounts

This worker handles your users’ password input directly, so please read the source before deploying! src/index.js is only 147 lines of very heavily commented code.

Simply change the env file, and deploy - nice and easy. Detailed instructions and some config options are documented in

Libs are bundled up with the sauce via webpack, so you will need NodeJS installed in order to deploy.

For context, here’s an example of how I use this client-side in my own application:

Many thank-you’s to Cloudflare and @troyhunt for freely providing the haveibeenpwned API The maintainers of zxcvbn at DropBox are also a strapping lot.