stefanesser · September 22, 2018 11:12
diff --git a/gistfile1.txt b/gistfile1.txt
 After a debate on Twitter how secure or insecure it is to ask #haveibeenpwned with their
 k-anonymity check if passwords are compromised (while you are entering the password) I 
 have hacked together a small python script that without optimization tries to answer this
 question.

 We are testing a 20 character password: bananenBrot4321Alarm

 Assumption is that the website uses the k-anonymity check that leaks 5 SHA1 characters to
 #haveibeenpwned with every attempt. Assumption is that first query happens after X characters
 have been entered as password. And then every Y characters another check is executed.

 Meaning of output:

 candiate: XXXXXX   <——— this outputs every one candidate for every 100k passwords that were tried
                        plus every new candidate from the candidate list of the previous call

 [x, y, y, y, …] <—— first prefix is x characters, then every y characters a new check was made


 Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [4, 2, 2, 2, 2, 2, 2, 2, 2]

 https://gist.github.com/stefanesser/3b8911f6e9798daf8e0fcd469b7ceea8

 Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]

 https://gist.github.com/stefanesser/eef8c046c82a6f1fd47aaaf25e87f698

 Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes (5,2,2,2,2,2,2,2,1)

 https://gist.github.com/stefanesser/f643f87dc88bbdc7b22594b7d7f67bd2
	After a debate on Twitter how secure or insecure it is to ask #haveibeenpwned with their
	k-anonymity check if passwords are compromised (while you are entering the password) I
	have hacked together a small python script that without optimization tries to answer this
	question.

	We are testing a 20 character password: bananenBrot4321Alarm

	Assumption is that the website uses the k-anonymity check that leaks 5 SHA1 characters to
	#haveibeenpwned with every attempt. Assumption is that first query happens after X characters
	have been entered as password. And then every Y characters another check is executed.

	Meaning of output:

	candiate: XXXXXX <——— this outputs every one candidate for every 100k passwords that were tried
	plus every new candidate from the candidate list of the previous call

	[x, y, y, y, …] <—— first prefix is x characters, then every y characters a new check was made


	Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [4, 2, 2, 2, 2, 2, 2, 2, 2]

	https://gist.github.com/stefanesser/3b8911f6e9798daf8e0fcd469b7ceea8

	Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]

	https://gist.github.com/stefanesser/eef8c046c82a6f1fd47aaaf25e87f698

	Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes (5,2,2,2,2,2,2,2,1)

	https://gist.github.com/stefanesser/f643f87dc88bbdc7b22594b7d7f67bd2