Skip to content

Instantly share code, notes, and snippets.

Forked from lzybkr/Get-AmIPwned.ps1
Created January 18, 2019 10:11
Show Gist options
  • Save weltregie/c1e9a224e8af33229bd9e2431e60f399 to your computer and use it in GitHub Desktop.
Save weltregie/c1e9a224e8af33229bd9e2431e60f399 to your computer and use it in GitHub Desktop.
Script to query passwords reported to
Reports if your password is pwned by querying
Query to see if a password has appeared in a breach.
The query sends the first 5 characters of the SHA1 hash, so the query should be considered safe and anonymous.
If you pass no parameters, you are prompted for the password to check and the password is not echoed to the screen.
.PARAMETER password_notsecure
Pass a plaintext password. This option is for convenience, but not recommended.
If used with real passwords, clear your history and transcripts after use.
.PARAMETER password_secure
Pass a SecureString password, e.g. read from a file.
PS> Get-AmIPwned.ps1
Password to check: : ******
Pwned Seen Hash
----- ---- ----
True 2670319 6367c48dd193d56ea7b0baad25b19455e529f5ee
PS> 'P@ssw0rd', 'P@assw0rd', 'adsfadfsasdfadsadsf','abc123','password' | Get-AmIPwned.ps1
Pwned Seen Hash
----- ---- ----
True 47205 21bd12dc183f740ee76f27b78eb39c8ad972a757
True 39 630aab54f57ad2af22e2479b071bc1b47d09d1b0
False 0 f59b862b64a1043869acee3997841106d4ec01d5
True 2670319 6367c48dd193d56ea7b0baad25b19455e529f5ee
True 3303003 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
class PwnedPasswordResult {
$sha1 = [System.Security.Cryptography.SHA1CryptoServiceProvider]::new()
$secProtocol = [System.Net.ServicePointManager]::SecurityProtocol
$ProgressPreference = 'Ignore'
try {
[System.Net.ServicePointManager]::SecurityProtocol = "tls, tls11, tls12"
if (!$password_secure -and !$password_notsecure) {
$password_secure = Read-Host -AsSecureString -Prompt 'Password to check: '
if (!$password_notsecure) {
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password_secure)
$password_notsecure = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
$bstr = $null
$password_bytes = [System.Text.Encoding]::ASCII.GetBytes($password_notsecure)
$password_notsecure = $null
$password_hash = ($sha1.ComputeHash($password_bytes) | % { $_.ToString("x2") }) -join ''
$password_bytes = $null
$prefix = $password_hash.Substring(0,5)
$suffix = $password_hash.Substring(5)
$range = (iwr "$prefix").Content
if ($range -match "${suffix}:(\d+)")
$pwned = $true
$hits = $matches[1]
$pwned = $false
$hits = 0
Pwned = $pwned
Seen = $hits
Hash = $password_hash
} finally {
[System.Net.ServicePointManager]::SecurityProtocol = $secProtocol
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment