Given the large data breach uncovered by HIBP (https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/) in which I was listed I wrote a script to check all my passwords. Here are the instructions if you want to check all your passwords against their database in a safe way:
- export all your chrome passwords (or from whatever service you use)
- put all the passwords in a file so that you have a password for each line and nothing else
cat passwordlist.txt | sort | uniq > sortedpasswords.txt
- generate a hashtable (sha1) for each line
for i in $(cat sortedpasswords.txt); do echo $(echo -n $i | sha1sum | awk '{print $1}') "--- $i" >> hashtable.txt; done
- run this script and wait. It will take its time.
#!/bin/bash
for i in $(cut -c1-5 hashtable.txt); do
HASHES=$(curl -s https://api.pwnedpasswords.com/range/"$i");
for j in $HASHES; do
K=$i$(echo -n "$j" | cut -c1-35 );
grep -i "$K" hashtable.txt;
done;
done;
- if there is any output then it should be the compromised password(s)
if you'e one of those criminals that use only one password everywhere... well I'm sorry for you, but you can still check that password in a simple way here: https://haveibeenpwned.com/Passwords
It's safe to submit your password. It's hashed locally and only the first 5 chars of the hash are sent to the server. (you can check their sources too if you don't trust me)