Skip to content

Instantly share code, notes, and snippets.

@k0nserv

k0nserv/README.md

Last active December 22, 2019 14:04
Show Gist options
  • Save k0nserv/aa964a475d5ff724bb2bea67b946135a to your computer and use it in GitHub Desktop.
Save k0nserv/aa964a475d5ff724bb2bea67b946135a to your computer and use it in GitHub Desktop.
Download ZIP
Small Python 3 script to check passwords against https://haveibeenpwned.com/'s list of previously comprised passwords
Raw
README.md

Have I Been Pwned Password Checker

A small Python 3 script to securely check passwords against https://haveibeenpwned.com/'s list of previously comprised passwords.

Usage

  1. Install the files requirements.txt in a Python 3 virtual environment with pip install requirements.txt.
  2. Start the script with python main.py.

Security

The script hashes passwords locally and the API uses a k-anonimity model to check passwords against the compromised list, neither the password nor the full password hash ever leaves the machine where the script is running. The script itself is small(41 lines) to make it simple and fast to review.

Read more in I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download by Troy Hunt or in the API docs.

Raw
main.py
import getpass
import requests
import hashlib
from urllib.parse import urljoin
API_BASE = 'https://api.pwnedpasswords.com/range/'
def make_request(BASE_URL, hashed_password):
url = urljoin(BASE_URL, hashed_password[0:5])
return requests.get(url)
def hash(password):
return hashlib.sha1(password.encode('UTF-8')).hexdigest()
def query(password):
hashed_password = hash(password).upper()
response = make_request(API_BASE, hashed_password)
results = [result.strip() for result in response.text.splitlines() if
len(result.strip()) > 0]
match = [match for match in results if match.startswith(hashed_password[5:])]
if len(match) > 0:
[_, count] = match[0].split(':')
print("Password found :(")
print(f"Password observed {count} times")
else:
print("Password not found")
if __name__ == '__main__':
while True:
password = getpass.getpass(prompt='Enter Password: ')
query(password)
print("")
Raw
requirements.txt
certifi==2019.11.28
chardet==3.0.4
entrypoints==0.3
flake8==3.7.9
idna==2.8
mccabe==0.6.1
pycodestyle==2.5.0
pyflakes==2.1.1
requests==2.22.0
urllib3==1.25.7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment