Checks passwords against the Have I Been Pwned database of known breaches when passwords are created, updated, or optionally on every login. Uses the k-Anonymity API — the full password is never sent outside Moodle. Users with a compromised password are blocked until they reset it, reducing the risk of account takeover through credentials exposed in past breaches.

Features

• Checks passwords on creation and update
• Optional check on every login
• k-Anonymity API — no full password ever leaves Moodle
• Blocks access until a compromised password is replaced

1. Install plugin
2. Log in as admin - make sure you can reset your own administrator password via email if necessary
3. Enable "Password policy" setting and review password requirements
4. Enable "Check password on login" setting
5. Navigate to "Site administration / Plugins / Authentication / Compromised password blocking" settings page
6. Enable "Detect compromised passwords"
7. If anything goes wrong you can also reset passwords from CLI, see /admin/cli/reset_password.php