If you are a casual internet user and know nothing about Coding and you want to check if your Email and Password haven't been leaked in data breaches before. Please check my previous article where I don’t go into technical details:
NOW IF YOU ARE A DEVELOPER:
This is where the fun begins:
There is a website that allows Internet users to check whether their personal data has been compromised by data breaches.
IT’S THE FAMOUS haveibeenpwned.
If you go to haveIbeenpwned/password and enter a password, eg “password”
You’ll get how many times that password has been found in data breaches.
Now if you are a developer like me you might be skeptical about entering your password or your users’ passwords on a third-party website, that’s where the HaveIbeenPwned API comes into play.
They provide an API endpoint you can fetch for specific password results but this time you won’t be sending them your password in plain text, you only have to send the first 5 characters of your hashed password (SHA1).
An HTTP GET request to this URL will get you these results :
Just open the link in a new tab and you’ll see the rest of the results.
HOW DOES THIS WORK?
The API is using a mathematical property called k-anonymity, it works like this:
Imagine if you wanted to check whether the password “P@ssw0rd” exists in the data set. (Using “@” instead of “a” is a known trick for hackers, please don’t do such things in your passwords)
The SHA-1 hash of “P@ssw0rd” is:
“21BD12DC183F740EE76F27B78EB39C8AD972A757” so what we’re going to do is take just the first 5 characters, in this case, that means “21BD1”. That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes (that is everything after “21BD1”) and a count of how many times the original password has been seen.
I added the prefix in brackets beforehand and the source passwords in brackets afterward simply to illustrate what we’re doing here; they’re all just different strings that hash down to values with the same first 5 characters.
There are 475 hashes beginning with “21BD1”, but only 1 which matches the remainder of the hash for “P@ssw0rd” and that record indicates that the password has previously been seen 47,205 times.
This way the password provided is safe and no one has access to it but you or your user
HOW DO YOU KNOW WHICH HASH IS THE RIGHT ONE?
Well, this is pretty easy, you just iterate through all the results and look for the hash that matches yours.
THE NPM PACKAGE:
I have published an NPM PACKAGE that takes care of all this stuff for you
I am open to contributions and please if you find any bug make sure to issue it
I didn’t make a pip package, I will soon but I already made a script that checks the password given
- Github Repo: password-pwnd, GIVE IT A STAR IF YOU LIKE IT
NOW YOU HAVE THE ABILITY TO CHECK YOUR USERS’ PASSWORD AND NOTIFY THEM IF THEIR PASSWORD HAS BEEN COMPROMISED
PLEASE CHANGE YOUR PASSWORD IF IT’S BEEN COMPRIMISED TOO AND MAKE SURE YOU DON’T USE THE SAME PASSWORD IN DIFFERENT PLACES
Connect with me on Linkedin for more interesting tech stuff!
Thank you very much for your attention.