have_i_b33n_pwned/README.md

Check if your passwords got pwned.

This tools searches your password in the leak-database from [haveibeenpwned.com](https://pwnedpasswords.com). However, your password is not beeing exposed. Instead the 5 first characters from the sha1-hash of your password are send to the [api](https://api.haveibeenpwned.com/range/):

1. Secret password:     c@ntknOwth1s
2. Compute the sha1:    68f2b2d8713ff1c25a437db21dbbd395bfb9881e
3. Take first 5 chars:  68f2b
4. Make a request:      https://api.haveibeenpwned.com/range/68f2b
5. Get a list with similar hashes that start with the same 5 chars.
6. Search for the sha1 hash (from step 2) within the list.


# Examples

## Check multiple password at once as script arguments
Note: This approach will put all entered password in your shell command history (such as the bash history). Therefore this method is only recommended if you trust anybody else who has acces to the history or if you clean all passwords from the history.

The following shows that passwords like `password`, `p@ssw0rd` and even `p@$$wOrd` have been leaked already and should obviously never be used as passwords again. Note the use of single ticks `'` for the third and fourth password as the `$`-sign confuses the shell otherwise.
```
./have_I_b33n_pwned.py password p@ssw0rd 'p@$$wOrd' 'P@$sW0rD&'

password                      leaked    sha1
--------------------------------------------------------------------------------
password                      3645804   5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
p@ssw0rd                      50431     57B2AD99044D337197C0C39FD3823568FF81E48A
p@$$wOrd                      5         40C38039F7CBA6C201CFF01CBB239150E0FF2AA8
P@$sW0rD&                     not yet   1B34EF732FC1EB5925EEAF3155BECBB44275194A

```

## Check one password at a time via a secure prompt
When you invoke the script without any arguments you will be prompted for a password which you can enter without somebody else seeing the characters on the screen:
```
./have_I_b33n_pwned.py

Tell me your password:

password                      leaked    sha1
--------------------------------------------------------------------------------
*****************             not yet   D733AC268852F7796A0E2118531347A8B4954734

```
initial commit 2019-05-12 14:59:54 +02:00			`Check if your passwords got pwned.`

			`This tools searches your password in the leak-database from [haveibeenpwned.com](https://pwnedpasswords.com). However, your password is not beeing exposed. Instead the 5 first characters from the sha1-hash of your password are send to the [api](https://api.haveibeenpwned.com/range/):`
fix 2019-05-12 15:02:27 +02:00
initial commit 2019-05-12 14:59:54 +02:00			`1. Secret password: c@ntknOwth1s`
			`2. Compute the sha1: 68f2b2d8713ff1c25a437db21dbbd395bfb9881e`
			`3. Take first 5 chars: 68f2b`
			`4. Make a request: https://api.haveibeenpwned.com/range/68f2b`
			`5. Get a list with similar hashes that start with the same 5 chars.`
			`6. Search for the sha1 hash (from step 2) within the list.`


			`# Examples`

Enhance wording 2019-05-12 15:04:49 +02:00			`## Check multiple password at once as script arguments`
initial commit 2019-05-12 14:59:54 +02:00			`Note: This approach will put all entered password in your shell command history (such as the bash history). Therefore this method is only recommended if you trust anybody else who has acces to the history or if you clean all passwords from the history.`

			The following shows that passwords like `password`, `p@ssw0rd` and even `p@$$wOrd` have been leaked already and should obviously never be used as passwords again. Note the use of single ticks `'` for the third and fourth password as the `$`-sign confuses the shell otherwise.
			```
			`./have_I_b33n_pwned.py password p@ssw0rd 'p@$$wOrd' 'P@$sW0rD&'`

			`password leaked sha1`
			`--------------------------------------------------------------------------------`
			`password 3645804 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8`
			`p@ssw0rd 50431 57B2AD99044D337197C0C39FD3823568FF81E48A`
			`p@$$wOrd 5 40C38039F7CBA6C201CFF01CBB239150E0FF2AA8`
			`P@$sW0rD& not yet 1B34EF732FC1EB5925EEAF3155BECBB44275194A`

			```

Enhance wording 2019-05-12 15:04:49 +02:00			`## Check one password at a time via a secure prompt`
initial commit 2019-05-12 14:59:54 +02:00			`When you invoke the script without any arguments you will be prompted for a password which you can enter without somebody else seeing the characters on the screen:`
			```
			`./have_I_b33n_pwned.py`

			`Tell me your password:`

			`password leaked sha1`
			`--------------------------------------------------------------------------------`
			`***************** not yet D733AC268852F7796A0E2118531347A8B4954734`

			```