Make Sure Your Users’ Passwords Hasn’t Been Hacked Before

Chedy
Chedy
Feb 18 · 4 min read

If you are a casual internet user and know nothing about Coding and you want to check if your Email and Password haven't been leaked in data breaches before. Please check my previous article where I don’t go into technical details:

NOW IF YOU ARE A DEVELOPER:

This is where the fun begins:

There is a website that allows Internet users to check whether their personal data has been compromised by data breaches.
IT’S THE FAMOUS haveibeenpwned.

If you go to haveIbeenpwned/password and enter a password, eg “password”

You’ll get how many times that password has been found in data breaches.

Now if you are a developer like me you might be skeptical about entering your password or your users’ passwords on a third-party website, that’s where the HaveIbeenPwned API comes into play.

They provide an API endpoint you can fetch for specific password results but this time you won’t be sending them your password in plain text, you only have to send the first 5 characters of your hashed password (SHA1).

Example: https://api.pwnedpasswords.com/range/21BD1

An HTTP GET request to this URL will get you these results :

Just open the link in a new tab and you’ll see the rest of the results.

HOW DOES THIS WORK?

The API is using a mathematical property called k-anonymity, it works like this:

Imagine if you wanted to check whether the password “P@ssw0rd” exists in the data set. (Using “@” instead of “a” is a known trick for hackers, please don’t do such things in your passwords)

The SHA-1 hash of “P@ssw0rd” is:

“21BD12DC183F740EE76F27B78EB39C8AD972A757” so what we’re going to do is take just the first 5 characters, in this case, that means “21BD1”. That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes (that is everything after “21BD1”) and a count of how many times the original password has been seen.

For example:

I added the prefix in brackets beforehand and the source passwords in brackets afterward simply to illustrate what we’re doing here; they’re all just different strings that hash down to values with the same first 5 characters.

There are 475 hashes beginning with “21BD1”, but only 1 which matches the remainder of the hash for “P@ssw0rd” and that record indicates that the password has previously been seen 47,205 times.

This way the password provided is safe and no one has access to it but you or your user

HOW DO YOU KNOW WHICH HASH IS THE RIGHT ONE?

Well, this is pretty easy, you just iterate through all the results and look for the hash that matches yours.

THE NPM PACKAGE:

I have published an NPM PACKAGE that takes care of all this stuff for you

I am open to contributions and please if you find any bug make sure to issue it

PYTHON LOVERS:

I didn’t make a pip package, I will soon but I already made a script that checks the password given

NOW YOU HAVE THE ABILITY TO CHECK YOUR USERS’ PASSWORD AND NOTIFY THEM IF THEIR PASSWORD HAS BEEN COMPROMISED

PLEASE CHANGE YOUR PASSWORD IF IT’S BEEN COMPRIMISED TOO AND MAKE SURE YOU DON’T USE THE SAME PASSWORD IN DIFFERENT PLACES

Connect with me on Linkedin for more interesting tech stuff!

Thank you very much for your attention.

The Startup

Get smarter at building your thing. Join The Startup’s +789K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +789K followers.

Chedy

Written by

Chedy

Backend Developer in Pursuit of Happiness | Entrepreneur in the making

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +789K followers.