Created
January 22, 2019 15:21
-
-
Save tylerkerr/0621a4719452b7ada41a641b5893d519 to your computer and use it in GitHub Desktop.
check haveibeenpwned's API for passwords
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import hashlib | |
from getpass import getpass | |
from requests import get | |
'''troy hunt runs haveibeenpwned.com. he collects huge dumps of breached passwords, | |
and has made them available. you can download the entire dump of hashes (annoying), | |
or you can query his API directly. doing this on his website involves typing in the | |
actual candidate password you want to check and assuming nothing untoward happens. | |
or you can query it on your own using the k-anonymity model: | |
generate a sha1 hash of the candidate password, then send hibp the first 5 hex chars | |
(2.5 bytes) of the hash. the API will return every suffix that matches those 5 chars | |
along with the number of breach occurrences of that password. you, knowing the entire | |
hash, just look through the list and pick out the hash you're concerned with. | |
here's a readable python script to do this while being sure your password doesn't go | |
anywhere else.''' | |
def getSHA(password: str): | |
return hashlib.sha1(password.encode()).hexdigest() | |
def getlist(hashprefix: str): | |
assert len(hashprefix) == 5 # make sure it's only 5 chars | |
baseurl = 'https://api.pwnedpasswords.com/range/' | |
fullurl = baseurl + hashprefix | |
response = get(fullurl) | |
return response.text | |
def main(): | |
print("[-] entering password checking zone") | |
while True: | |
badpass = getpass(prompt="> ") | |
passwordhash = getSHA(badpass) | |
hashprefix = passwordhash[:5] | |
hashsuffix = passwordhash[5:] | |
listlines = getlist(hashprefix).splitlines() | |
for line in listlines: | |
parseline = line.split(':') | |
listsuffix = parseline[0].lower() | |
occurrences = parseline[1] | |
if listsuffix == hashsuffix: | |
print(f"[!] that password is known. it's been seen {occurrences} times") | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment