Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Check for compromised passwords outside of haveibeenpwned.com search/api

pwned password check

Checks the haveibeenpwned.com compromised passwords database for a given hashed password without sending said credential across the wire.

Get Password Data

  1. Install p7zip if you don't have it: brew install p7zip
  2. Download large 7zip pwned passwords file (SHA-1; I downloaded by prevalence): https://haveibeenpwned.com/Passwords
  3. Extract pwned passwords file: 7z e pwned-passwords-sha1-ordered-by-count-v4.7z

Search Password Data

  1. Get SHA-1 hashed version of your password and make it uppercase: echo -n "<password>" | openssl sha1 | awk '{print toupper($0)}'
  2. Timed search for compromised password (mine took ~9 minutes when no result): time sed -n -e '/<hashed password>/{=;x;1!p;g;$!N;p;D;}' -e h pwned-passwords-sha1-ordered-by-count-v4.txt (Shows line before and after result...check out https://linuxconfig.org/learning-linux-commands-sed for other output options)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.