This blog post was inspired by a recent article at Ars Technica. About yet another e-mail and password database/collection containing aprox. 773 million e-mail addresses and 21 million passwords.
While reading the article there were also some embeded links to other articles and blog post and while exploring those I ended up at the ‘Have I Been Pwned’ (HIBP) API documentation pages. To me the interesting part was how the HIBP API worked, that you don’t actually send the complete password or hash. It always seemed, to me, to be a bit weird to send the password (or hash) that you use to any site to check if it was breached or not. I don’t think that HIBP is doing anything other than what is described on their site but if we are going to put our paranoid hats on then…
For the complete documentation about the API you can find it in the link below.
But in short what you send to the API is only the first five characters or range as they describe it and you’ll get all the hashes that matches that particular range.
So lets say that your password SHA-1 hash is: EBFC7910077770C8340F63CD2DCA2AC1F120444F
The first 5 characters is EBFC7, that is what is sent to the API.
The returned result at the time of writing will be 520 different hashes that starts on those 5 characters.
With the returned result you can then check locally if any of the returned hashes matches the rest of your hashed password. So with the results you would then check if 910077770C8340F63CD2DCA2AC1F120444F is among those returned hashes. If it is then you know that that particular password is among those that have been previously found in a breach or leak. If it isn’t in the list then you haven’t given away what the rest of the hash is for your password.
By the way the hash above is for the password ‘Passw0rd’ and has been found 51887 times.
I wrote a script/function to use this API to check if the password has been previously compromised. The API requires that you use TLS 1.2 or TLS 1.3, so there is a second function in the script that will check for this and enable TLS 1.2 if it’s not.
To use the functions and you run it as a script file remember to dot source it, so that the functions will be kept in the running session.
Alternatively run it in e.g. an ISE session.
PS C:\> . C:\scripts\Test-PwnedPassword.ps1 PS C:\> Test-PwnedPassword -Password 'Passw0rd'
Link to the code:
Link to the API documentation.
Have I Been Pwned – API