Have I Been Pwned

The Have I Been Pwned plugin helps protect user accounts by preventing the use of passwords that have been exposed in known data breaches. It uses the Have I Been Pwned API to check if a password has been compromised.

Installation

import { betterAuth } from "better-auth"
import { haveIBeenPwned } from "better-auth/plugins"
 
export const auth = betterAuth({
    plugins: [
        haveIBeenPwned()
    ]
})

Usage

When a user attempts to create an account or update their password with a compromised password, they'll receive the following default error:

{
  "code": "PASSWORD_COMPROMISED",
  "message": "Password is compromised"
}

Config

You can customize the error message:

haveIBeenPwned({
    customPasswordCompromisedMessage: "Please choose a more secure password."
})

Security Notes

Only the first 5 characters of the password hash are sent to the API
The full password is never transmitted
Provides an additional layer of account security

Captcha

Captcha plugin

Multi Session

Learn how to use multi-session plugin in Better Auth.

Get Started

Concepts

Authentication

Databases

Integrations

Plugins

Guides