Checking a password against Troy Hunt's list
28 Mar 2021
Troy Hunt, of HaveIBeenPwned.com, a site that helps you learn what data breaches your email address was involved in, also keeps a database of hacked passwords at api.PwnedPasswords.com so you can check if your password’s as bad as password123
without actually typing your password anywhere on the internet. I can’t remember where I found my instructions for using it anymore, so I’m writing it down myself for future reference, and I apologize to whoever I’m not crediting. I dusted these off recently to make a case to a family member for changing certain passwords I don’t approve of (tip: just get your passwords from Gibson Research Corporation’s random high-entropy password generator).
- Compute the SHA-1 hash for the password in question. From Windows, you can do this in the Git Bash shell you’ve likely installed on your computer if you’re a programmer – or on any other Unix-like command prompt. (I have yet to find a short-and-sweet command in Windows PowerShell.) Here are 3 examples using passwords of
password
,monkey123
, andxyzzy
.echo -n 'password' | sha1sum | awk '{print toupper($1)}'
(result:5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
)echo -n 'monkey123' | sha1sum | awk '{print toupper($1)}'
(result:721D65122734734800A1EDD6E68C03210E7B2ACA
)echo -n 'xyzzy' | sha1sum | awk '{print toupper($1)}'
(result:AB69DB8315AF7DE6E673A6DDF128D415157A7C3F
)
- In a web browser, pull up the URL
https://api.pwnedpasswords.com/range/FIRST_FIVE_OF_HASH_HERE
. So, for example: - In the resulting page, in your web browser, pick about 5-7 characters from anywhere in the rest of the SHA-1 hash. For example,
EE68FD8
from the hash forpassword
(its last 7 characters). Hit Ctrl+F to pull up the “find in page” functionality in your web browser and type those characters. Make sure the result that the cursor jumped you to matches the “remainder” (after the first 5 characters) of the hash in its entirety; if not, search again or add more characters for a more precise search. - See how bad things are:
- If you don’t find your hash “remainder” in the page, you made a typo … or it’s never appeared in a hacked passwords dump – lucky you.
- If you do find it, read the number of times it’s been found in hacked-password dumps to get an idea of how likely it is to be vulnerable to a brute-force attack where common passwords are part of the “dictionary” of things to try.
- Clear out your Git Bash history so the password you were curious about isn’t in plaintext on your computer in its history by typing the following 2 commands (note: I had to do this a few times, opening & closing Git Bash & hitting my “up” key to double-check, before I was fully satisfied that I had nothing but
exit
in my history):cat /dev/null > ~/.bash_history
history -c