tylerkerr/hibp.py

## hibp.py
#!/usr/bin/env python3

import hashlib
from getpass import getpass
from requests import get

'''troy hunt runs haveibeenpwned.com. he collects huge dumps of breached passwords,
and has made them available. you can download the entire dump of hashes (annoying),
or you can query his API directly. doing this on his website involves typing in the
actual candidate password you want to check and assuming nothing untoward happens.
or you can query it on your own using the k-anonymity model:

generate a sha1 hash of the candidate password, then send hibp the first 5 hex chars
(2.5 bytes) of the hash. the API will return every suffix that matches those 5 chars
along with the number of breach occurrences of that password. you, knowing the entire
hash, just look through the list and pick out the hash you're concerned with.
here's a readable python script to do this while being sure your password doesn't go
anywhere else.'''


def getSHA(password: str):
    return hashlib.sha1(password.encode()).hexdigest()


def getlist(hashprefix: str):
    assert len(hashprefix) == 5  # make sure it's only 5 chars
    baseurl = 'https://api.pwnedpasswords.com/range/'
    fullurl = baseurl + hashprefix
    response = get(fullurl)
    return response.text


def main():
    print("[-] entering password checking zone")
    while True:
        badpass = getpass(prompt="> ")
        passwordhash = getSHA(badpass)
        hashprefix = passwordhash[:5]
        hashsuffix = passwordhash[5:]
        listlines = getlist(hashprefix).splitlines()
        for line in listlines:
            parseline = line.split(':')
            listsuffix = parseline[0].lower()
            occurrences = parseline[1]
            if listsuffix == hashsuffix:
                print(f"[!] that password is known. it's been seen {occurrences} times")


if __name__ == '__main__':
    main()
	#!/usr/bin/env python3

	import hashlib
	from getpass import getpass
	from requests import get

	'''troy hunt runs haveibeenpwned.com. he collects huge dumps of breached passwords,
	and has made them available. you can download the entire dump of hashes (annoying),
	or you can query his API directly. doing this on his website involves typing in the
	actual candidate password you want to check and assuming nothing untoward happens.
	or you can query it on your own using the k-anonymity model:

	generate a sha1 hash of the candidate password, then send hibp the first 5 hex chars
	(2.5 bytes) of the hash. the API will return every suffix that matches those 5 chars
	along with the number of breach occurrences of that password. you, knowing the entire
	hash, just look through the list and pick out the hash you're concerned with.
	here's a readable python script to do this while being sure your password doesn't go
	anywhere else.'''


	def getSHA(password: str):
	return hashlib.sha1(password.encode()).hexdigest()


	def getlist(hashprefix: str):
	assert len(hashprefix) == 5 # make sure it's only 5 chars
	baseurl = 'https://api.pwnedpasswords.com/range/'
	fullurl = baseurl + hashprefix
	response = get(fullurl)
	return response.text


	def main():
	print("[-] entering password checking zone")
	while True:
	badpass = getpass(prompt="> ")
	passwordhash = getSHA(badpass)
	hashprefix = passwordhash[:5]
	hashsuffix = passwordhash[5:]
	listlines = getlist(hashprefix).splitlines()
	for line in listlines:
	parseline = line.split(':')
	listsuffix = parseline[0].lower()
	occurrences = parseline[1]
	if listsuffix == hashsuffix:
	print(f"[!] that password is known. it's been seen {occurrences} times")


	if __name__ == '__main__':
	main()