
Pwned Passwords, Version 6 - weinzierl
https://www.troyhunt.com/pwned-passwords-version-6/
======
vivekv
I am seeing multiple discussions confusing the 'have I been pwned' and 'pwned
passwords' services. This is a release of pwned passwords. I wrote a small
commandline tool where I generate my own passwords and I validate them against
the pwnd passwords database. The code can be seen here
[https://github.com/vivekhub/password-
generator/blob/9a3ca8aa...](https://github.com/vivekhub/password-
generator/blob/9a3ca8aafaa39d3007293aff2b7f49ad2fc843d2/passgen#L73). The two
lines of python code summarizes the approach. Create an SHA1 and send the
first five characters.

------
yread
has anyone used the bloom filter that uses this?
[https://github.com/62726164/bp](https://github.com/62726164/bp)

~~~
lstamour
There are a few implementations of this kind of filter -
[https://github.com/search?q=have-I-been-
bloomed](https://github.com/search?q=have-I-been-bloomed) lists four I found.
I haven’t seen any usages yet in open source code on Github though.

Most seem to use the web API: for example
[https://github.com/search?l=PHP&q=haveibeenpwned+API+v2+pwne...](https://github.com/search?l=PHP&q=haveibeenpwned+API+v2+pwnedpasswords&type=Code)

Other projects for pwnedpasswords:
[https://github.com/search?q=pwnedpasswords&type=Repositories](https://github.com/search?q=pwnedpasswords&type=Repositories)
YMMV, “read the source, Luke!” :)

------
timothy-quinn
I've always found HIBP in this funny conflicting situation - on hand you
should never provide your email or password to a 3rd party service because
it's probably malicious, but on the other hand in HIBP's case it's very
evidently _not_ malicious, so it's totally fine. But it's evident only if you
follow Troy for a while to see what he's doing.

I think it's a good study in game theory at the least.

~~~
taf2
You don’t have to send the password to determine if it’s pwned... they have a
hashing scheme to determine if a password was in any leaks.

See
[https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange)

~~~
laegooose
How can a regular user validate this? A malicious or compromised site could
have same explanations and API page but would actually collect passwords.

~~~
goda90
It lets you search based on the first 5 characters of a SHA-1 password hash.
So you use a trusted tool on your own computer to hash the password you want
to search, and pass in just part of it. You get multiple results, and you can
then compare against the hashes yourself to see if yours is in there. There's
no way for them to collect your password that way.

------
jordache
I've always felt nervous entering my info, to do a look up. It's yet another
data trail to elevate certain set of stolen data above the noise of
unused/throw away/dead accounts.

~~~
NobodyNada
Pwned Passwords uses a k-anonymity scheme so that your password is never
actually sent to the server [0]. You can just call the API directly [1] so
that you don’t have to trust haveibeenpwned.com’s JavaScript with your
password.

[0]: [https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2#cloudflareprivacyandkanonymity)

[1]:
[https://haveibeenpwned.com/API/v3#PwnedPasswords](https://haveibeenpwned.com/API/v3#PwnedPasswords)

~~~
tsbinz
And if you are really paranoid, you can just download the whole set of hashes
and do the lookup yourself.

------
sleavey
Is there a way I can hash my password myself then check if the hash is in the
database via the web?

~~~
advisedwang
Yes: do a SHA1 of your password (no trailing newline), then fetch
[https://api.pwnedpasswords.com/range/{first](https://api.pwnedpasswords.com/range/{first)
5 hash chars}. If the full hash appears in the results, the password has been
seen in a breach.

~~~
tsbinz
Small correction: It's not the full hash that appears in the results, it's the
suffix (so the part after the 5 chars you put into the URL).

If you don't want the password to end up in your shell history, this works on
in the shell with common tools:

tr -d '\n' | sha1sum

Then type the password you want to look for, hit enter and control-d. You can
test with "common" passwords like
[https://www.reddit.com/r/XFiles/comments/6ge7h4/mulders_home...](https://www.reddit.com/r/XFiles/comments/6ge7h4/mulders_home_computer_password_is_8_characters/)
if you're doing it right.

------
unnouinceput
Quote: "Further, a whole bunch of passwords that, um, well, I can't really
print here also make an appearance, but use your imagination and you'll
probably be able to work out a few of those."

Hihi, this cracked me up, best joke for today. Keep up the good work Troy

------
netman21
I don't get what Troy Hunt has done to his tool. You used to be able to type
in an email address and learn all the times your credentials have been in a
leak/breach. Now he wants you to _enter your password_. What security minded
person would reveal their password to a site like this? It would be trivial to
associate your password to your IP address.

~~~
laken
You're getting two different tools mixed up -- "Have I Been Pwned?" and "Pwned
Passwords."

Have I Been Pwned is the tool where you search your email, and it displays
breaches.

Pwned Passwords is an API (there is a front-end but that's not the usecase)
where you send a partial hash of a password to the API, and it returns a list
of partial hashes that match, and the implementation from there sees if any of
them match the full hash. It's used by quite a few online services to ensure
users don't use weak passwords, as if it's shown up in multiple data breaches,
they might not let you set it as your password.

~~~
fuhrysteve
Good article explaining how they use k-anonymity here:

[https://blog.cloudflare.com/validating-leaked-passwords-
with...](https://blog.cloudflare.com/validating-leaked-passwords-with-k-
anonymity/)

