Password Purgatory is an intentionally infuriating API to request inane and ultimately unachievable password criteria intended to deliberately frustrate the user. Regardless of the password used, it will always be rejected hence subjecting the user to "purgatory". Read more in the launch blog post.
There is a single API endpoint that can be invoked with a GET request passing the password as a query string:
GET
https://api.passwordpurgatory.com/make-hell?password={password}
A JSON response is returned containing a message describing how the password did not meet the required criteria:
{ "message": "Password must contain at least 1 number" }
CORS is enabled to allow calling the API from all origins.
To orchestrate the request to the API and display of the returned message, the "make-hell.js" JavaScript file can be directly embedded in any consuming websites:
<script
src="https://passwordpurgatory.com/make-hell.js"></script>
The script expects the embedding page to provide the following:
ToDo: implement SRI integrity check once version is stable
In order to enable logging you will need to first deploy the logger on Cloudflare github.com/troyhunt/password-purgatory-logger.
Once that is done, you will then need to include the following scripts in your code making sure to replace the logger domain with your own Cloudflare worker domain.
<script>let loggerDomain = "https://my-password-purgatory-logger.my-username.workers.dev";</script>
<script src="https://passwordpurgatory.com/log-hell.js"></script>
All code in Password Purgatory is open source and available on GitHub in the following repositories: