JamoCA/getPasswordBreachCount.cfm

## getPasswordBreachCount.cfm
<!--- 20230505 Inspired by on https://github.com/JayIsPainting/CFML_HIBP but returns a numeric value (for use with APIs)
GIST: https://gist.github.com/JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3
--->
<cffunction name="getPasswordBreachCount" returntype="numeric" output="no" access="public" hint="Checks supplied password against HaveIBeenPwnd Passwortd APIv2 and returns number of breachs.">
	<cfargument name="pwd" type="string" required="true">
	<cfset local.passwordHash = hash(arguments.pwd, "SHA")>
	<cfset local.prefix = left(hash(arguments.pwd, "SHA"), 5)>
	<cfset local.passMatch = right(local.passwordHash, len(local.passwordHash)-5)>

	<cfhttp url="https://api.pwnedpasswords.com/range/#local.prefix#" method="get" useragent="CFML_PwnChk" result="local.cfhttp" getasbinary="never"></cfhttp>

	<cfset local.searchResult = refind("(^|\s)#local.passMatch#\:(\d+)($|\s)", local.cfhttp.filecontent, 1, true)>
	<cfset local.breachCount = (arraylen(local.searchResult.match) eq 4) ? local.searchResult.match[3] : 0>
	<cfreturn javacast("int", local.breachCount)>
</cffunction>

<cfset passwordToTest = "password">
<cfset numberofBreaches = getPasswordBreachCount(passwordToTest)>
<cfif numberofBreaches>
	<cfoutput>
		<p><b>Attention:</b> The password you have chosen is known exist in data breach(es) on another site(s).<br>
		It has been compromised <b><u>#numberformat(numberofBreaches)#</u></b> times. It should be considered insecure.<br>
		If you use this password on other sites, you should consider changing it.</p>
	</cfoutput>
<cfelse>
	<p>Password has not been found in any online breaches.</p>
</cfif>
	<!--- 20230505 Inspired by on https://github.com/JayIsPainting/CFML_HIBP but returns a numeric value (for use with APIs)
	GIST: https://gist.github.com/JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3
	--->
	<cffunction name="getPasswordBreachCount" returntype="numeric" output="no" access="public" hint="Checks supplied password against HaveIBeenPwnd Passwortd APIv2 and returns number of breachs.">
	<cfargument name="pwd" type="string" required="true">
	<cfset local.passwordHash = hash(arguments.pwd, "SHA")>
	<cfset local.prefix = left(hash(arguments.pwd, "SHA"), 5)>
	<cfset local.passMatch = right(local.passwordHash, len(local.passwordHash)-5)>

	<cfhttp url="https://api.pwnedpasswords.com/range/#local.prefix#" method="get" useragent="CFML_PwnChk" result="local.cfhttp" getasbinary="never"></cfhttp>

	<cfset local.searchResult = refind("(^\|\s)#local.passMatch#\:(\d+)($\|\s)", local.cfhttp.filecontent, 1, true)>
	<cfset local.breachCount = (arraylen(local.searchResult.match) eq 4) ? local.searchResult.match[3] : 0>
	<cfreturn javacast("int", local.breachCount)>
	</cffunction>

	<cfset passwordToTest = "password">
	<cfset numberofBreaches = getPasswordBreachCount(passwordToTest)>
	<cfif numberofBreaches>
	<cfoutput>
	<p><b>Attention:</b> The password you have chosen is known exist in data breach(es) on another site(s).<br>
	It has been compromised <b><u>#numberformat(numberofBreaches)#</u></b> times. It should be considered insecure.<br>
	If you use this password on other sites, you should consider changing it.</p>
	</cfoutput>
	<cfelse>
	<p>Password has not been found in any online breaches.</p>
	</cfif>