Created
May 8, 2019 15:07
-
-
Save kozloski/075c447bc6ef36158026fb8a79cfcaf0 to your computer and use it in GitHub Desktop.
PowerShell function for testing passwords against HIBP Pwned Password database
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Test-PwnedPassword { | |
[CmdletBinding()] | |
param ( | |
[Parameter()] | |
[System.Security.SecureString] | |
$Password = ( Read-Host -Prompt "Enter a password to test" -AsSecureString ), | |
[Parameter()] | |
[switch] | |
$Detailed | |
) | |
$dummyCredential = New-Object -TypeName 'System.Management.Automation.PSCredential' -ArgumentList 'PwnedPasswordTest', $Password; | |
$enc = [System.Text.Encoding]::UTF8; | |
$sha1 = new-object -TypeName 'System.Security.Cryptography.SHA1CryptoServiceProvider'; | |
$hashstring = [system.bitconverter]::ToString($sha1.ComputeHash($enc.GetBytes($dummyCredential.GetNetworkCredential().Password))).Replace('-',''); | |
$uri = ( "https://api.pwnedpasswords.com/range/{0}" -f $hashstring.Substring(0,5) ); | |
$re = ( "^{0}\:(\d+)" -f $hashstring.Substring(5) ); | |
Write-Verbose ( "URI: {0}" -f $uri ); | |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; | |
$response = invoke-webrequest -Uri $uri; | |
if ( $response.StatusCode -eq 200 ) { | |
$out = [PSCustomObject]@{ | |
'Pwned' = $false; | |
'Message' = 'Good news — no pwnage found!'; | |
} | |
( $response.Content -split "`n" ) -match $re | | |
ForEach-Object { | |
if ( $_ -match $re ) { | |
$out.Pwned = $true; | |
$out.Message = ( 'Oh no - pwned! This password has been seen {0} times in public data breaches, and should not be used.' -f $matches[1] ); | |
} | |
} | |
if ( $Detailed.IsPresent ) { | |
$out; | |
} | |
else { | |
$out.Pwned; | |
} | |
} | |
else { | |
Write-Error ( "HTTP Status Code {0}" -f $response.StatusCode ); | |
} | |
<# | |
.SYNOPSIS | |
Test a provided password against the Have I Been Pwned? Pwned Passwords database. | |
.DESCRIPTION | |
Test a provided password against the Have I Been Pwned? Pwned Passwords database using REST API. | |
.PARAMETER Password | |
SecureString object containing password to be tested. | |
If not provided, will be prompted. | |
.PARAMETER Detailed | |
Provide detailed information about result. | |
.OUTPUTS | |
If -Detailed is not specified, a simple $true or $false is returned, indicating whether or not the password has been pwned. | |
If -Detailed is specified, an object is returned with two properties: | |
* Pwned: $true or $false | |
* Message: Message describing result | |
.EXAMPLE | |
$passwordToTest = ConvertTo-SecureString -String 'Pass@word' -AsPlainText -Force | |
Test-PwnedPassword -Password $passwordToTest | |
.LINK | |
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ | |
.NOTES | |
2019-03-07 jesse.kozloski knocked this together after reading https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ | |
seemed like a fun little project. | |
#> | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment