Skip to content

Instantly share code, notes, and snippets.

@k0nserv
Last active December 22, 2019 14:04
Show Gist options
  • Save k0nserv/aa964a475d5ff724bb2bea67b946135a to your computer and use it in GitHub Desktop.
Save k0nserv/aa964a475d5ff724bb2bea67b946135a to your computer and use it in GitHub Desktop.
Small Python 3 script to check passwords against https://haveibeenpwned.com/'s list of previously comprised passwords

Have I Been Pwned Password Checker

A small Python 3 script to securely check passwords against https://haveibeenpwned.com/'s list of previously comprised passwords.

Usage

  1. Install the files requirements.txt in a Python 3 virtual environment with pip install requirements.txt.
  2. Start the script with python main.py.

Security

The script hashes passwords locally and the API uses a k-anonimity model to check passwords against the compromised list, neither the password nor the full password hash ever leaves the machine where the script is running. The script itself is small(41 lines) to make it simple and fast to review.

Read more in I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download by Troy Hunt or in the API docs.

import getpass
import requests
import hashlib
from urllib.parse import urljoin
API_BASE = 'https://api.pwnedpasswords.com/range/'
def make_request(BASE_URL, hashed_password):
url = urljoin(BASE_URL, hashed_password[0:5])
return requests.get(url)
def hash(password):
return hashlib.sha1(password.encode('UTF-8')).hexdigest()
def query(password):
hashed_password = hash(password).upper()
response = make_request(API_BASE, hashed_password)
results = [result.strip() for result in response.text.splitlines() if
len(result.strip()) > 0]
match = [match for match in results if match.startswith(hashed_password[5:])]
if len(match) > 0:
[_, count] = match[0].split(':')
print("Password found :(")
print(f"Password observed {count} times")
else:
print("Password not found")
if __name__ == '__main__':
while True:
password = getpass.getpass(prompt='Enter Password: ')
query(password)
print("")
certifi==2019.11.28
chardet==3.0.4
entrypoints==0.3
flake8==3.7.9
idna==2.8
mccabe==0.6.1
pycodestyle==2.5.0
pyflakes==2.1.1
requests==2.22.0
urllib3==1.25.7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment