Have my passwords been compromised?
- Project page
https://github.com/ratoaq2/pwnedpwd
PwnedPwd is a tiny CLI tool which uses the online service Pwned Passwords to check whether a given password have been compromised in known data breaches. Credits to Troy Hunt for hosting such service.
Given the input password, this tool will
- hash it using SHA-1 algorithm, resulting in a 40-characters hexadecimal string
- Use the first 5 characters from the generated string to query the online service
- The online service returns a list of all matching hashes for the given prefix
- Verify if your SHA-1 hash is present in the response
For instance, given an input password P@ssword
- SHA-1 hash is
9E7C97801CB4CCE87B6C02F98291A6420E6400AD
- The first 5 characters are
9E7C9
- We query the online service using
GET https://api.pwnedpasswords.com/range/9E7C9
- The online service returns a list of all matching hashes (777 hashes for this example):
... 77B1EE4BF1B49FEB288C7FC65EE604C0C54:24 780087028CF36AF6A5A1DCF096748FB7090:10 7801CB4CCE87B6C02F98291A6420E6400AD:10848 782545129CEA7F3BD1A076F25B94C064CFE:3 788872DE964354319100FCE0EF4DEA00311:4 ...
- We verify that
7801CB4CCE87B6C02F98291A6420E6400AD
is present and have10848
occurrences in data breaches
Extracted from their website:
Pwned Passwords are more than half a billion passwords which have previously been exposed in data breaches. The service is detailed in the launch blog post then further expanded on with the release of version 2. The entire data set is both downloadable and searchable online via the Pwned Passwords page. In order to protect the value of the source password being searched for, Pwned Passwords also implements a k-Anonymity model that allows a password to be searched for by partial hash.
Detailed information can be found
- https://haveibeenpwned.com/API/v3#PwnedPasswords
- https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
$ [sudo] pip install pwnedpwd
$ pwnedpwd
Password: ******
[GOOD] Password is not present in any known data breach. (source https://haveibeenpwned.com/Passwords)
$ pwnedpwd
Password: 12345
[BAD] Password appeared 2570791 times in data breaches. (source https://haveibeenpwned.com/Passwords)