Password Purgatory


Password Purgatory is an intentionally infuriating API to request inane and ultimately unachievable password criteria intended to deliberately frustrate the user. Regardless of the password used, it will always be rejected hence subjecting the user to "purgatory". Read more in the launch blog post.


There is a single API endpoint that can be invoked with a GET request passing the password as a query string:



A JSON response is returned containing a message describing how the password did not meet the required criteria:

{ "message": "Password must contain at least 1 number" }

Cross-Origin Resource Sharing (CORS)

CORS is enabled to allow calling the API from all origins.

Embedding in an External Website

To orchestrate the request to the API and display of the returned message, the "make-hell.js" JavaScript file can be directly embedded in any consuming websites:

<script src=""></script>

The script expects the embedding page to provide the following:

  1. A form named "passwordPurgatory"
  2. A password field named "password"
  3. An element for the response named "response"

ToDo: implement SRI integrity check once version is stable

Enabling Logging

In order to enable logging you will need to first deploy the logger on Cloudflare
Once that is done, you will then need to include the following scripts in your code making sure to replace the logger domain with your own Cloudflare worker domain.

<script>let loggerDomain = "";</script>
<script src=""></script>

Source Code

All code in Password Purgatory is open source and available on GitHub in the following repositories:

  1. This website:
  2. The API:
  3. The Logger: