Has Your Password Been Pwned?
Passwords are a headache and, if you're anything like me, you have a handful with various degrees of complexity that you use, depending on the service. Lame-o subscription? Throwaway account with weak password. Bank account? Secure account with strong password.
Either way, how can you tell if your password, especially if you believe it's a strong password, hasn't been compromised?
Your first instinct may be to do a search, upon which you stumble across haveibeenpwned.com, a service that allows you test if your password exists in a password list somewhere. But, it requires you to submit your precious "strong and secure" password... to a service you're not sure you can trust... If you're like me, you're completely hesitant to do this. After all, how can you trust that the service, catered to non-technical folk, is not storing your password which then gets added to a compromised list or who knows what else? What if it's adding it to some insecure password database which risks becoming compromised itself? The honest truth is unless you're part of their security team maintaining the website, you can't be completely sure.
The good news is that there's another way! What if I said that you can test whether your password's been compromised without having to submit your password online?
The original author and owner of haveibeenpwned.com, Troy Hunt, has actually acknowledged that there are many people who share the privacy concerns over submitting their passwords using his online service. Paranoid folks rejoice! You are not alone!
So, to alleviate this concern, Troy has developed an online API that allows anyone, anonymously, to test their password using a method known as "k-Anonymity range search."
The basic premise is this: If you generate a SHA-1 hash of your precious password, and then submit just the first five characters of this hash to the API, the API will respond with all the compromised passwords, in SHA-1 form, that share those same first five characters.
Typically, you'll get back a SHA-1 list of about 500 pwned passwords.
Using this list of about 500 hashed, pwned, passwords, you may now check to see if your precious SHA-1 password appears (identically) anywhere in the list. If you do find an identical match, then you know that your password is not safe, and thus, not so precious! If your password's SHA-1 does not appear in the list, then you can celebrate because you hold the secret sauce to a password that has not yet been pwned.
To save you the trouble, I've written a simple Linux bash script that uses the API and allows you to test your passwords:
Save this file as "testpass.sh" and mark it executable:
In a prompt, you can test your password by feeding it a password as an argument. For example:
or
Note that if you're using this script in your shell, the only issue is that it will exist in your shell history. You may be interested in purging your Bash history as follows:
Hopefully, this helps you with creating strong, uncompromised passwords, or otherwise gives you the much needed sleep knowing that the strong password you've been using over the past ten years hasn't (yet!) been pwned.
Just remember to test your passwords every now and again!
Code: testpass.sh