roycewilliams/pwned-passwords-range-example.txt

## pwned-passwords-range-example.txt
#-----------------------------------------------------------------------------
# Step 1: Compute the SHA1 sum.

# Step 2: Grab the first 5 chars of the hash.

# Step 3: Use API to pull all hashes with that prefix, sort by how often they
# appear, and crack the first few.
#
# (This means that if this query can be intercepted, the attacks has a pretty
# good chance of figuring out your password (if it's non-random or too short).)

#-----------------------------------------------------------------------------

# First, a less-dramatic example:

$ echo -n 'P@ssword123' | sha1sum
af218ea96a34c5bc5829a95248227654853e1043  -

$ echo -n 'P@ssword123' | sha1sum | cut -b1-5
af218

$ curl -s 'https://api.pwnedpasswords.com/range/AF218' | sort -t: -k2 -nr
7F3A19CB7A204D201CD4AAE454B8F639DD6:1008
EA96A34C5BC5829A95248227654853E1043:977 <----- this is the hash of our password
72A937BDEF2415D591E3EAFBD9B941033B3:87
733F74C246CDE48E2C22514E6088901277D:32
9097EFA33C66C34C1393F12CE0B50049BC2:29
B1E94C862B3BCD01583EF97A5016310B4CD:27
D28983FF168BC58BCD4482E795E0A3D9568:25
AE78FB7992A3C18AEFF80E66D3019450C7B:25
ECB53566C7019EC04F056B16F98333AE78E:24
A7E393F92FED747AB312541A627F979194A:24
9BC336DB803AD249CA3F6FD98C2913D4950:23
ADEC317FA4E1A01514FD21CFD9DA20AC040:22
DC39EF3EDDCAD3B508A70AC50234C2D4084:20
32EB991793F7B6E361FBE944274AA3DD609:19
43071AAC3CC75DC4CA185E7E3092DB5131D:17
3E41D25CCD3180EE2C5D5600F74DBCEDAAC:16
D772FF6365A193FA41F8D636E98EECC61EA:15
599257C99260FEDDCBF9C80AFE20FF69E81:15
4270C18932A6D7803E053B9AD790A5A7D6F:15
377AE0954C1CE8E509A573467C66BFF461B:15
32E3CB302B72C2CE5B6DB820F7240995509:15
2FBE7797338BCAE55193A1EF5C925D6A7F0:15
AC3251BD003AE177C8AB1C57E8C923C6F89:13
7C688587C44C6DE39962917AF5F1898051A:13
FF7E3B1D95BE63DCB65755D242846145C02:12
76C3F9B35F7D00320296318AD0FE6BE6732:11
51CF549926B1F9E94FCCB870CCE07730C77:11
0269A283CA92D352E81C74093C59BF34680:11
E2CBDA63F7DA93AA006769A6AD6E82EDEDA:10
0AAAE09B677E76C3B988526667FB53DA2D9:10
[...]
03F43E58A0BFF3F0EAEF392AD0F4DAC1258:1
03327FAE07F16C7E332FB51B88A320ED623:1

#-----------------------------------------------------------------------------

# More dramatic example:

$ echo -n 'password' | sha1sum
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  -

$ echo -n 'password' | sha1sum | cut -b1-5
5baa6

$ curl -s 'https://api.pwnedpasswords.com/range/5baa6' | sort -t: -k2 -nr
1E4C9B93F3F0682250B6CF8331B7EE68FD8:3303003 <----- this is the hash of our password
2648FB0B2EDA4FDFF99BF51E912CD95C023:6927
8E0D5C9D144BACC76E52C44F5B61E8DF629:182
EF0E14CCB17E525D76050283148A57828F8:40
A516C42C8CD4C7E7E328ABB90D002A9890E:25
3A8ADE4CF1DAD5342AF2F9FC9247EC21943:17
EA2008F79BE2B0E0C02A1642725433BBB2F:15
5E2BCB2FEF09257B0306B4744418999611B:15
7550A5F6BE01B7A448B0BF5171EE5010549:13
42BAADCD710F9EA7E62B60E01D05469AC64:13
270C60DC07A9247E2770AE4B78870F41275:13
32F203CB544F48B0FA79B280B7B7A562442:12
C84782B604BE48977583E108AC6014C5909:11
A469A1756F617687038731E29E65EEE9A0D:11
A209E7253ED38864D64D9780E03FD868127:11
9F15CB4E8267D785B118793E4B3CCE1F617:11
82EF3E8DFA456A4C024AF143DB2F6CF620F:11
941F4DBE019927FFEF89210C3509525DFF0:10
83A5679C95CA20A34EC232230A89E6105F7:10
69FFB53C7AAE39CB18370BE1B9A43978211:10
14064116E29F235C7069D746496596D2051:10
A08C645E088E588F9E5B9ABDFCBCD9E9230:9
[...]
01330C689E5D64F660D6947A93AD634EF8F:1
012C192B2F16F82EA0EB9EF18D9D539B0DD:1

#-----------------------------------------------------------------------------

# And most will be crackable in minutes, because they'll be well-known passwords.

#-----------------------------------------------------------------------------
	#-----------------------------------------------------------------------------
	# Step 1: Compute the SHA1 sum.

	# Step 2: Grab the first 5 chars of the hash.

	# Step 3: Use API to pull all hashes with that prefix, sort by how often they
	# appear, and crack the first few.
	#
	# (This means that if this query can be intercepted, the attacks has a pretty
	# good chance of figuring out your password (if it's non-random or too short).)

	#-----------------------------------------------------------------------------

	# First, a less-dramatic example:

	$ echo -n 'P@ssword123' \| sha1sum
	af218ea96a34c5bc5829a95248227654853e1043 -

	$ echo -n 'P@ssword123' \| sha1sum \| cut -b1-5
	af218

	$ curl -s 'https://api.pwnedpasswords.com/range/AF218' \| sort -t: -k2 -nr
	7F3A19CB7A204D201CD4AAE454B8F639DD6:1008
	EA96A34C5BC5829A95248227654853E1043:977 <----- this is the hash of our password
	72A937BDEF2415D591E3EAFBD9B941033B3:87
	733F74C246CDE48E2C22514E6088901277D:32
	9097EFA33C66C34C1393F12CE0B50049BC2:29
	B1E94C862B3BCD01583EF97A5016310B4CD:27
	D28983FF168BC58BCD4482E795E0A3D9568:25
	AE78FB7992A3C18AEFF80E66D3019450C7B:25
	ECB53566C7019EC04F056B16F98333AE78E:24
	A7E393F92FED747AB312541A627F979194A:24
	9BC336DB803AD249CA3F6FD98C2913D4950:23
	ADEC317FA4E1A01514FD21CFD9DA20AC040:22
	DC39EF3EDDCAD3B508A70AC50234C2D4084:20
	32EB991793F7B6E361FBE944274AA3DD609:19
	43071AAC3CC75DC4CA185E7E3092DB5131D:17
	3E41D25CCD3180EE2C5D5600F74DBCEDAAC:16
	D772FF6365A193FA41F8D636E98EECC61EA:15
	599257C99260FEDDCBF9C80AFE20FF69E81:15
	4270C18932A6D7803E053B9AD790A5A7D6F:15
	377AE0954C1CE8E509A573467C66BFF461B:15
	32E3CB302B72C2CE5B6DB820F7240995509:15
	2FBE7797338BCAE55193A1EF5C925D6A7F0:15
	AC3251BD003AE177C8AB1C57E8C923C6F89:13
	7C688587C44C6DE39962917AF5F1898051A:13
	FF7E3B1D95BE63DCB65755D242846145C02:12
	76C3F9B35F7D00320296318AD0FE6BE6732:11
	51CF549926B1F9E94FCCB870CCE07730C77:11
	0269A283CA92D352E81C74093C59BF34680:11
	E2CBDA63F7DA93AA006769A6AD6E82EDEDA:10
	0AAAE09B677E76C3B988526667FB53DA2D9:10
	[...]
	03F43E58A0BFF3F0EAEF392AD0F4DAC1258:1
	03327FAE07F16C7E332FB51B88A320ED623:1

	#-----------------------------------------------------------------------------

	# More dramatic example:

	$ echo -n 'password' \| sha1sum
	5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 -

	$ echo -n 'password' \| sha1sum \| cut -b1-5
	5baa6

	$ curl -s 'https://api.pwnedpasswords.com/range/5baa6' \| sort -t: -k2 -nr
	1E4C9B93F3F0682250B6CF8331B7EE68FD8:3303003 <----- this is the hash of our password
	2648FB0B2EDA4FDFF99BF51E912CD95C023:6927
	8E0D5C9D144BACC76E52C44F5B61E8DF629:182
	EF0E14CCB17E525D76050283148A57828F8:40
	A516C42C8CD4C7E7E328ABB90D002A9890E:25
	3A8ADE4CF1DAD5342AF2F9FC9247EC21943:17
	EA2008F79BE2B0E0C02A1642725433BBB2F:15
	5E2BCB2FEF09257B0306B4744418999611B:15
	7550A5F6BE01B7A448B0BF5171EE5010549:13
	42BAADCD710F9EA7E62B60E01D05469AC64:13
	270C60DC07A9247E2770AE4B78870F41275:13
	32F203CB544F48B0FA79B280B7B7A562442:12
	C84782B604BE48977583E108AC6014C5909:11
	A469A1756F617687038731E29E65EEE9A0D:11
	A209E7253ED38864D64D9780E03FD868127:11
	9F15CB4E8267D785B118793E4B3CCE1F617:11
	82EF3E8DFA456A4C024AF143DB2F6CF620F:11
	941F4DBE019927FFEF89210C3509525DFF0:10
	83A5679C95CA20A34EC232230A89E6105F7:10
	69FFB53C7AAE39CB18370BE1B9A43978211:10
	14064116E29F235C7069D746496596D2051:10
	A08C645E088E588F9E5B9ABDFCBCD9E9230:9
	[...]
	01330C689E5D64F660D6947A93AD634EF8F:1
	012C192B2F16F82EA0EB9EF18D9D539B0DD:1

	#-----------------------------------------------------------------------------

	# And most will be crackable in minutes, because they'll be well-known passwords.

	#-----------------------------------------------------------------------------