Password Purgatory

Documentation

Password Purgatory is an intentionally infuriating API to request inane and ultimately unachievable password criteria intended to deliberately frustrate the user. Regardless of the password used, it will always be rejected hence subjecting the user to "purgatory". Read more in the launch blog post.

Request

There is a single API endpoint that can be invoked with a GET request passing the password as a query string:

GET https://api.passwordpurgatory.com/make-hell?password={password}

Response

A JSON response is returned containing a message describing how the password did not meet the required criteria:

{ "message": "Password must contain at least 1 number" }

Cross-Origin Resource Sharing (CORS)

CORS is enabled to allow calling the API from all origins.

Embedding in an External Website

To orchestrate the request to the API and display of the returned message, the "make-hell.js" JavaScript file can be directly embedded in any consuming websites:

<script src="https://passwordpurgatory.com/make-hell.js"></script>

The script expects the embedding page to provide the following:

  1. A form named "passwordPurgatory"
  2. A password field named "password"
  3. An element for the response named "response"

ToDo: implement SRI integrity check once version is stable

Source Code

All code in Password Purgatory is open source and available on GitHub in the following repositories:

  1. This website: github.com/troyhunt/password-purgatory
  2. The API: github.com/troyhunt/password-purgatory-api