On Tue, Mar 21, 2023 at 02:28:08PM +0100, Pavel Raiskup wrote:
Hello all!
Do we have HaveIBeenPwned database of hashes somewhere in Fedora, as a
file or service (regularly updated)? I'd prefer checking my passwords
manually, without actually giving the passwords to the
https://haveibeenpwned.com service. Speaking of that, I really dislike
that the service takes the real passwords on it's input.
I seem I was able to reproduce the steps-to-download (currently
downloading):
https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader
But that will take quite some time...
Has anyone planed to at least package that dotnet utility? How do you
do this?
On
https://haveibeenpwned.com/Passwords there's a link to
the explanation on how it works:
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#clo...
Summary: it hashes the password, submits the first 5 letters and then
compares the rest of the hash against the returned set of possible matches.
If you don't trust the website, you can do this yourself in Python with
a few lines of code:
```
#!/usr/bin/env python3
import requests
import hashlib
pwd="P@ssw0rd"
myhash = hashlib.sha1(pwd.encode("utf8")).hexdigest()
r =
requests.get(f"https://api.pwnedpasswords.com/range/{myhash[:5]}")
for hash in r.text.split('\r\n'):
if hash.startswith(myhash[5:].upper()):
print(f"Compromised: {myhash[:5].upper()}{hash}")
```
Creating a CLI for this should be trivial, packaging it too :)
Cheers,
Peter