Have I Been Pwned

The Have I Been Pwned plugin helps protect user accounts by preventing the use of passwords that have been exposed in known data breaches. It uses the Have I Been Pwned API to check if a password has been compromised.

Installation

Add the plugin to your auth config

auth.ts

import { betterAuth } from "better-auth"
import { haveIBeenPwned } from "better-auth/plugins"

export const auth = betterAuth({
    plugins: [
        haveIBeenPwned()
    ]
})

Usage

When a user attempts to create an account or update their password with a compromised password, they'll receive the following default error:

{
  "code": "PASSWORD_COMPROMISED",
  "message": "Password is compromised"
}

Config

You can customize the error message:

haveIBeenPwned({
    customPasswordCompromisedMessage: "Please choose a more secure password."
})

Security Notes

Only the first 5 characters of the password hash are sent to the API
The full password is never transmitted
Provides an additional layer of account security

Get Started

Concepts

Authentication

Databases

Integrations

Plugins

Guides

Reference

Installation

Add the plugin to your auth config

Usage

Config

Security Notes

On this page