Extended Brain Storage

Security: Have I Been Pwned?

Posted on February 26, 2018

A brief info about the very interesting leaked passwords database project haveibeenpwned.com...

Introduction

It is a project of an individual named Troy Hunt to provide:

"a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised"

The resource (database) can be used (searched):

Usage

IMPORTANT NOTICE: In the terms of security and privacy, the best searching method is described at the very end (searching by a password hash range).


Direct usage enables individuals to test their credentials by entering them in the provided search element. Such process is generally not recommended, as it may in fact help stealing the very credentials. No third party page should be trusted regardless of its claims. The current API URLs are as follows:

$ curl https://haveibeenpwned.com/api/v2/unifiedsearch/username%40domain.tld
$ curl https://haveibeenpwned.com/api/v2/unifiedsearch/secret

A good method is searching by a password hash (SHA-1) can be done as follows:

  1. Calculating the password hash and getting its first five characters, using:
$ printf "secret" | sha1sum | awk '{print $1}'
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
  1. Opening the API URL as follows:
$ curl https://api.pwnedpasswords.com/pwnedpassword/e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
195263

The server response includes count in the response body indicating how many times that password appears in the data set.


The best method is searching by a password hash range (SHA-1), as it prevents the server from knowing which password hash has been searched. It can be done as follows:

  1. Calculating the password hash and getting its first five characters (prefix) using:
$ printf "secret" | sha1sum | cut -c -5
e5e9f
  1. Calculating the password hash and getting its last 35 characters using:
$ printf "secret" | sha1sum | cut -c 6-40
a1ba31ecd1ae84f75caaa474f3a663f05f4
  1. Opening the API URL as follows:
$ curl -s https://api.pwnedpasswords.com/range/e5e9f | grep -i a1ba31ecd1ae84f75caaa474f3a663f05f4
A1BA31ECD1AE84F75CAAA474F3A663F05F4:195263

The server response includes the suffix of every hash beginning with the specified prefix and it can be "grepped" to select only the desired one.

The three previous steps can be written as a "one-liner" as follows:

$ curl -s https://api.pwnedpasswords.com/range/`printf "secret" | sha1sum | cut -c -5` | grep -i `printf "secret" | sha1sum | cut -c 6-40`
A1BA31ECD1AE84F75CAAA474F3A663F05F4:195263

Tags: #e-mail #ssh #server #account #Arch Linux #OpenBSD #FreeBSD #macOS

⏴ Previous Post Next Post ⏵