initial commit

This commit is contained in:
koksnuss 2019-05-12 14:59:54 +02:00
commit 968ad8c636
2 changed files with 106 additions and 0 deletions

42
README.md Normal file
View File

@ -0,0 +1,42 @@
Check if your passwords got pwned.
This tools searches your password in the leak-database from [haveibeenpwned.com](https://pwnedpasswords.com). However, your password is not beeing exposed. Instead the 5 first characters from the sha1-hash of your password are send to the [api](https://api.haveibeenpwned.com/range/):
```
1. Secret password: c@ntknOwth1s
2. Compute the sha1: 68f2b2d8713ff1c25a437db21dbbd395bfb9881e
3. Take first 5 chars: 68f2b
4. Make a request: https://api.haveibeenpwned.com/range/68f2b
5. Get a list with similar hashes that start with the same 5 chars.
6. Search for the sha1 hash (from step 2) within the list.
# Examples
## Pass passwords as arguments
Note: This approach will put all entered password in your shell command history (such as the bash history). Therefore this method is only recommended if you trust anybody else who has acces to the history or if you clean all passwords from the history.
The following shows that passwords like `password`, `p@ssw0rd` and even `p@$$wOrd` have been leaked already and should obviously never be used as passwords again. Note the use of single ticks `'` for the third and fourth password as the `$`-sign confuses the shell otherwise.
```
./have_I_b33n_pwned.py password p@ssw0rd 'p@$$wOrd' 'P@$sW0rD&'
password leaked sha1
--------------------------------------------------------------------------------
password 3645804 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
p@ssw0rd 50431 57B2AD99044D337197C0C39FD3823568FF81E48A
p@$$wOrd 5 40C38039F7CBA6C201CFF01CBB239150E0FF2AA8
P@$sW0rD& not yet 1B34EF732FC1EB5925EEAF3155BECBB44275194A
```
## Enter password secretly into a prompt
When you invoke the script without any arguments you will be prompted for a password which you can enter without somebody else seeing the characters on the screen:
```
./have_I_b33n_pwned.py
Tell me your password:
password leaked sha1
--------------------------------------------------------------------------------
***************** not yet D733AC268852F7796A0E2118531347A8B4954734
```

64
have_I_b33n_pwned.py Executable file
View File

@ -0,0 +1,64 @@
#!/usr/bin/env python3
from sys import argv, stdout
from hashlib import sha1
from getpass import getpass
from requests import get
RED = "\033[1;31m"
GREEN = "\033[0;32m"
RESET = "\033[0;0m"
API = 'https://api.pwnedpasswords.com/range/'
ROW = '{:<30}{:<10}{:<45}'
HIDDEN = False
def header():
print()
print(ROW.format('password', 'leaked', 'sha1'))
print('-' * 80)
def prompt_password():
print()
password = getpass('Tell me your password: ')
global HIDDEN
HIDDEN = True
header()
query(password)
def query(password):
password_hash = sha1(password.encode('UTF-8')).hexdigest().upper()
request = password_hash[:5]
response = get(API + request).text
hash_searched = 'not yet'
for answer in response.splitlines():
data = answer.split(':')
combined_hash = request + data[0]
if password_hash == combined_hash:
hash_searched = int(data[1])
break
if hash_searched == 'not yet':
stdout.write(GREEN)
else:
stdout.write(RED)
if HIDDEN:
password = '*' * len(password)
print(ROW.format(password, hash_searched, password_hash))
stdout.write(RESET)
if __name__ == '__main__':
if len(argv) < 2:
prompt_password()
else:
header()
for password in argv[1:]:
query(password)
print()
exit(0)