Elia

Electronics engineering student at TU Dresden.

Interested in electronics, ham radio, UNIX like OSs and software development (Rust, Julia).

Fulltime GNU+Linux user since 2012.

GitHub: knightshrub


Creative Commons License All text is licensed under CC-BY-SA 4.0 International License

GNU GPLv3 Code is licensed under GPLv3

[ 2019-03-15 ]

Using haveibeenpwned.com to check leaked passwords

Categories: Linux

The haveibeenpnwed.com API can be used to check wether or not a password has been compromised in a known password leak.

You might have heard of haveibeenpwned.com, a site that aggregates username and password information that has been leaked in data breaches. The site's creator Troy Hunt describes it as follows:

I created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.

The website provides a REST API that can be used to check if a password is known to have been leaked. The neat thing about this is that the password is never transmitted to HIPB, but rather just the first 5 digits of the SHA1 hash of the password are sent to HIBP. HIBP then sends back the remaining 35 hex digits of the SHA1 hashes of all the passwords it knows about back { API documentation }. This guarantees a property called k-anonymity { Wikipedia }.

I have written the following bash script which asks for the password such that it doesn't end up in the bash history, calculates the SHA1 hash of that password using coreutils sha1sum and uses cURL to query the API for all known passwords whose SHA1 hashes start with the first 5 hex digits of the password's SHA1 hash. Finally, it checks the rest of the password's hash against the list returned by the API and let's you know wether the entered password has been leaked and is known to haveibeenpwned.com.

#!/bin/bash

# Uses the https://haveibeenpwned.com API to check wether the entered 
# password is known to have been leaked
# API doc https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
# information on the k-anonymity model
# https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

# Copyright (C) 2019 Elia Ritterbusch 
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

read -p "Enter password: " password

hash=$(echo -n $password | sha1sum | awk '{print toupper($1)}')
prefix=$(echo -n $hash | head -c 5)
suffix=$(echo -n $hash | tail -c +6)

count=$(curl https://api.pwnedpasswords.com/range/$prefix 2>/dev/null \
| awk -F ":" -v suf="$suffix" 'BEGIN{RS="\r\n"} $1 ~ suf {print $2}')

if [ -n "$count" ]; then
    echo "The password \"$password\" has been leaked a total of $count times!"
else
    echo "The password \"$password\" was not found in the leaked passwords database!"
fi