Last active
January 19, 2024 23:56
-
-
Save timmc/be8cfe75ce67034bfa7c4c72d4374e14 to your computer and use it in GitHub Desktop.
Checking Pwned Passwords manually
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get the SHA-1 hash of your password. Here, we use `cat` to enter it securely | |
# so that it doesn't end up in shell history. (Type the password, then Enter, | |
# then ctrl-D to finish.) | |
$ cat | tr -d '\n' | sha1sum | |
hunter2 | |
f3bbbd66a63d4bf1747940578ec3d0103530e21d - | |
# Split the hash digest into the first 5 and last 35 characters. You'll query | |
# the Pwned Passwords API for the prefix, then check if the suffix is in the | |
# results that come back. | |
$ curl -sS https://api.pwnedpasswords.com/range/f3bbb | grep -i d66a63d4bf1747940578ec3d0103530e21d | |
D66A63D4BF1747940578EC3D0103530E21D:23864 | |
# We got a result, so it was in the DB! In fact, it was in there 23864 times. | |
# If result is empty, it wasn't in the DB. But check your methods first | |
# with a known-bad password so that you know you didn't just flub something. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment