Have I Been Pwned?

blog Pming

My wife and me got impressed by an article in German c't "Der Hacker-Hunter" about Troy Hunt and his efforts. Afterwards I wrote a simple Ruby script to check against his database of leaked accounts and passwords, https://haveibeenpwned.com. Currently there are about 550 millions records of 2.2 billions leaked. Probably there were many duplicates.

We tested our accounts and some of our passwords. The results were somewhere between interesting, surprising and shocking. I can heartily recommend everyone to do the same, learn and adapt. In any case, listed passwords need to be avoided!

Here the script: hibp.rb. It needs a ruby httpclient gem. Probably you will also need getopts.rb. It has been obsoleted in newer rubies, but I like it for its simplicity and have many scripts which depend upon it.

hipb.rb can check for an account or password. It shows the request and response, so that you can know what is going on. I do not like to enter my credentials on a web page. The script is simple enough for a review.

Here an account check (-a) for jarek, showing the relevant leaks, like on https://haveibeenpwned.com. Response will be empty if an account is not listed. Luckily these are not my accounts.

jarek@Some:~/misc_scripts$ ./hibp.rb -a jarek
Request: https://haveibeenpwned.com/api/v2/breachedaccount/jarek?truncateResponse=true
Response: [{"Name":"Forbes"},{"Name":"Gawker"},{"Name":"Snapchat"},{"Name":"Win7Vista"}]

A password check (-p) keeps your password on a local machine. It sends only 5 initial characters of the SHA-1 hash (k-Anonymity) and looks for a match in the returned list of a few hundred entries. I've never used my name for a password, but it has been listed 2781 times.

jarek@Some:~/misc_scripts$ ./hibp.rb -p jarek
SHA-1: 0B79F5E5F0BBA1537EABB84336FADDABF8B19142
Request: https://api.pwnedpasswords.com/range/0B79F
184 hash(es) returned
5E5F0BBA1537EABB84336FADDABF8B19142:2781
Password found 2781 time(s)

I plan to provide a standalone version, which does not require to install ruby. Perhaps an offline check against the file, some simple GUI?

Kommentar hinzufügen

Nächster Beitrag Vorheriger Beitrag