Checking for Pwned Passwords
- by Vince
-
in Blog
-
Hits: 1530
If you don't already use the web site "have i been pwned?", you should. It's a solid resource for checking your accounts for possible compromise. Basically, you enter your email address, it will search through its database, and if your address shows up in its list, it will spit out the compromised sites and the details of the breach.
Another feature of the site is the ability to check a password against their list of compromised passwords. There are about 580 million passwords in their database and while you think "l33thacker" is solid, their database says it's been found 55 times.
While on their site this morning checking a password, I noticed a section titled "API" on the top menu. Curiously, I read through the section and I found my new Python project.
Some obstacles:
1. Although on their site form, we're entering a string, the mechanism does not accept a string, it's looking for a SHA-1 hash of the string.
2. When the hash is being passed into the mechanism, it's not the entire hash, it's only the first five characters.
3. When we receive our response, we're not receiving the entire 40 characters of the hash, we're presented with the remaining 35 characters of the hash.
4. When we connect to the host to pass along the first five characters, we receive: "urllib2.HTTPError: HTTP Error 403: Forbidden". Basically, the site doesn't like the fact that we have a Python user agent and it's blocking our request. We fix this by adding some headers to our request.
5. When we receive our response, the remaining characters are presented to us in UPPERCASE. We need to take our remaining 35 lowercase characters and convert to UPPERCASE prior to our comparison.
The script can be found here: Python Script: Password Check